Résumé
Gitea before 1.26.2 has an authorization bypass in its "Allow edits from maintainers" pull-request feature (CVE-2026-26231). The maintainer edit permission was not properly scoped, so a user could push unauthorized commits to any repository they could merely read. In effect, read access to a repo could be turned into write access through a crafted pull request.
Comment le corriger
- Upgrade Gitea to 1.26.2 or later, which adds the missing authorization check.
- Audit affected repositories for unexpected commits made through pull requests during the exposure window, and review your maintainer-edit settings.
- If you cannot upgrade immediately, restrict who can open pull requests and tighten repository read access.
Comment l’éviter dans votre code
- Enforce authorization on every write path, including indirect ones like maintainer edits, fork syncs, and merge actions; never infer write rights from read access.
- Apply least-privilege repository permissions and keep read and write grants explicit and separate.
- Keep self-hosted forge software (Gitea, Forgejo, GitLab) patched promptly; code-hosting platforms are high-value targets.
Références
Vulnérabilités liées
Tout Supply chain →- HIGHCVE-2026-52799
Gogs Missing Authorization in Attachment Download
- HIGHCVE-2026-50137
Budibase: POST /api/attachments/:datasourceId/url is unauthenticated and lets anonymous callers mint S3 PUT pre-signed URLs using stored datasource IAM credentials
- MEDIUMCVE-2026-44585
Paymenter has broken object level authorization via service reference manipulation on ticket creation
- MEDIUMCVE-2026-33684
AVideo's Privilege Escalation via Unguarded Permission Parameters in signUp API Allows Self-Granting Upload/Stream/Meet Permissions
- MEDIUMGHSA-hv6h-hc26-q48p
SurrealDB: Field-level SELECT permissions bypassed via graph and reference traversals
- HIGHGHSA-6gqw-jqv7-v88m
stigmem-node: decay sweep expires and counts facts across all tenants (cross-tenant BOLA)