ANALYSIS · a9dcfeaf· FINISHED 2026-05-31 · PATCHDIFF

giteav1.26.1 → v1.26.2✓ COMPLETED

Files144

Vulnerable86

True positives69

CVE matched15

1 CVE article ready PatchLeaks generated full security writeups for the matched CVEs · one per CVE, with affected files linked

CVE-2026-27771

FILTERS 0

SEARCH

STATUS

JUDGE

CVE MATCH

EXTENSION

CWE

OPTIONS

Hide “No vulnerability” Hide unjudged

SCOPE

All 144 CVE 15 Vuln 86

SORT

15 files · page 1/1

models/admin/task.go

AI: 2 vulnerabilities

CVE-2026-27771 2 TP

#%!d(float64=004)

models/asymkey/ssh_key_principals.go

AI: 1 vulnerabilities

CVE-2026-27771 1 FP

#%!d(float64=005)

models/repo/repo_list.go

AI: 1 vulnerabilities

CVE-2026-27771 1 TP

#%!d(float64=016)

modules/git/catfile_batch_command.go

AI: 1 vulnerabilities

CVE-2026-27771 1 TP

#%!d(float64=025)

modules/migration/options.go

AI: 1 vulnerabilities

CVE-2026-27771 1 TP

#%!d(float64=039)

routers/api/v1/org/org.go

AI: 1 vulnerabilities

CVE-2026-27771 1 TP

#%!d(float64=050)

routers/api/v1/repo/pull.go

AI: 1 vulnerabilities

CVE-2026-27771 1 TP

#%!d(float64=053)

routers/api/v1/user/repo.go

AI: 2 vulnerabilities

CVE-2026-27771 2 TP

#%!d(float64=055)

routers/web/repo/attachment.go

AI: 1 vulnerabilities

CVE-2026-27771 1 TP

#%!d(float64=066)

routers/web/repo/repo.go

AI: 1 vulnerabilities

CVE-2026-27771 1 TP

#%!d(float64=074)

services/actions/notifier_helper.go

AI: 1 vulnerabilities

CVE-2026-27771 1 TP

#%!d(float64=083)

services/auth/basic.go

AI: 1 vulnerabilities

CVE-2026-27771 1 TP

#%!d(float64=090)

services/migrations/gitea_uploader.go

AI: 2 vulnerabilities

CVE-2026-27771 2 TP

#%!d(float64=108)

services/pull/pull.go

AI: 1 vulnerabilities

CVE-2026-27771 1 TP

#%!d(float64=112)

tests/integration/api_issue_config_test.go

AI: 1 vulnerabilities

CVE-2026-27771 1 TP

#%!d(float64=119)

1–15 of 15

⌖

Select a file from the list to inspect its diff and AI analysis.

↑ ↓ to navigate

CVES 1

CVE-2026-27771

Security writeup for CVE-2026-27771

✓ 15 FILES

## The Exploit

Attacker needs a repository access token that is valid for repo read operations but does not have the specific download/archive scope.

```bash
curl -i -H "Authorization: token REPO_READ_ONLY_TOKEN" \
  "https://TARGET/user/repo/archive/refs/heads/main.zip?path=README.md"
```

The server responds with `HTTP/1.1 200 OK` and `Content-Type: application/zip`, delivering a valid archive even though the token is missing download-specific authorization. On a patched instance, the same request is rejected before archive creation.

## What the Patch Did

Before:
```go
func Download(ctx *context.Context) {
    aReq, err := archiver_service.NewRequest(ctx.Repo.Repository, ctx.Repo.GitRepo, ctx.PathParam("*"), ctx.FormStrings("path"))
    if err != nil {
        if errors.Is(err, util.ErrInvalidArgument) {
...
func InitiateDownload(ctx *context.Context) {
    paths := ctx.FormStrings("path")
    if setting.Repository.StreamArchives || len(paths) > 0 {
        ctx.JSON(http.StatusOK, map[string]any{
```

After:
```go
func Download(ctx *context.Context) {
    if !checkDownloadTokenScope(ctx) {
        return
    }
    aReq, err := archiver_service.NewRequest(ctx.Repo.Repository, ctx.Repo.GitRepo, ctx.PathParam("*"), ctx.FormStrings("path"))
    if err != nil {
        if errors.Is(err, util.ErrInvalidArgument) {
...
func InitiateDownload(ctx *context.Context) {
    if !checkDownloadTokenScope(ctx) {
        return
    }
    paths := ctx.FormStrings("path")
    if setting.Repository.StreamArchives || len(paths) > 0 {
        ctx.JSON(http.StatusOK, map[string]any{
```

The patch added an explicit download-scope authorization check by calling `checkDownloadTokenScope(ctx)` at the start of both archive download entry points.

## Root Cause

This is a missing authorization bug (CWE-862/CWE-285): the repository archive download endpoints accepted requests from a token-authenticated context without verifying that the token included the required download scope. User-controlled input enters as the auth token plus the `path` parameter and archive route suffix (`ctx.PathParam("*")`), then reaches archive generation through `archiver_service.NewRequest(...)` without crossing a scope check. The trust boundary violated is token scope verification for sensitive repository downloads.

## Why It Works

The load-bearing change is the added guard `if !checkDownloadTokenScope(ctx) { return }` in both `Download` and `InitiateDownload`. Without that check, the handlers proceed to archive creation regardless of whether the token is authorized for download. The duplicate guard is needed because both handlers are separate entry points for archive delivery: one starts the download flow, the other performs the actual archive request. The patch places the check early so the sensitive operation never reaches `archiver_service.NewRequest(...)` when token scope is insufficient.

## Hardening Checklist

- Enforce scope-specific authorization before any sensitive action, e.g. call `checkDownloadTokenScope(ctx)` before archive creation.
- Validate token scopes in every handler that exposes a protected resource, not just in shared middleware.
- Keep authorization checks separate from business logic so missing a handler does not bypass them.
- Add regression tests using tokens with `read_repository` but without download/archive scope to verify access is denied.
- Use explicit deny-return patterns (`if !authorized { return }`) at the top of request handlers instead of relying on later request flow.

## References

- https://nvd.nist.gov/vuln/detail/CVE-2026-27771

CVE CVE-2026-27771

PRODUCT gitea

AFFECTED ≤ v1.26.1

FIXED IN v1.26.2

STATUS Generated

Security writeup · CVE-2026-27771

Source files · 15

models/admin/task.go Linked

models/asymkey/ssh_key_principals.go Linked

models/repo/repo_list.go Linked

modules/git/catfile_batch_command.go Linked

modules/migration/options.go Linked

routers/api/v1/org/org.go Linked

routers/api/v1/repo/pull.go Linked

routers/api/v1/user/repo.go Linked

routers/web/repo/attachment.go Linked

routers/web/repo/repo.go Linked

services/actions/notifier_helper.go Linked

services/auth/basic.go Linked

services/migrations/gitea_uploader.go Linked

services/pull/pull.go Linked

tests/integration/api_issue_config_test.go Linked

↗ NVD