GHSA-cr4g-f395-h25h

Suggest an improvement
Source
https://github.com/advisories/GHSA-cr4g-f395-h25h
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-cr4g-f395-h25h/GHSA-cr4g-f395-h25h.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-cr4g-f395-h25h
Aliases
  • CVE-2026-20706
Published
2026-06-16T23:42:04Z
Modified
2026-06-16T23:45:07.238491739Z
Severity
  • 5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
Gitea: Token scope bypass on web archive download endpoint
Details

Summary

PR #37698 added checkDownloadTokenScope to /raw/, /media/, and attachment download web endpoints. The /archive/* endpoint (repo.Download in routers/web/repo/repo.go:372) was not included in the fix. This endpoint accepts OAuth2 tokens via webAuth.AllowOAuth2 (registered at routers/web/web.go:1649-1652) but does not call checkDownloadTokenScope or CheckRepoScopedToken.

A personal access token with any non-repository scope (e.g., read:issue or read:misc) can download full repository archives (zip/tar.gz) of private repositories the token owner has access to.

Impact

Scope escalation: tokens scoped to non-repository categories can access full repository content through the archive download endpoint. Higher impact than endpoints fixed in #37698 because /archive/* serves the entire repository.

Steps to Reproduce

  1. Create a personal access token with ONLY read:misc scope
  2. Access: GET /{owner}/{private-repo}/archive/main.tar.gz
  3. Archive is served (200 OK) instead of being rejected (403 Forbidden)

Compare with fixed endpoints: - GET /{owner}/{private-repo}/raw/branch/main/README.md correctly returns 403

Root Cause

Download function in routers/web/repo/repo.go:372 does not call checkDownloadTokenScope. The outer group middleware reqUnitCodeReader checks repository permission but not token scope.

The API equivalent (/api/v1/repos/{owner}/{repo}/archive/*) IS properly scoped via tokenRequiresScopes(AccessTokenScopeCategoryRepository). The git HTTP endpoints are scoped via CheckRepoScopedToken in httpBase.

Suggested Fix

Add checkDownloadTokenScope(ctx) to Download and InitiateDownload in routers/web/repo/repo.go. The function already exists in routers/web/repo/download.go (same package).

Discovery Method

Variant analysis of PR #37698 — reviewed all web routes with webAuth.AllowOAuth2 middleware.

Database specific 
{
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-16T23:42:04Z",
    "nvd_published_at": null,
    "severity": "MODERATE",
    "cwe_ids": [
        "CWE-863"
    ]
}
References

Affected packages

Go / code.gitea.io/gitea

Package

Name
code.gitea.io/gitea
View open source insights on deps.dev
Purl
pkg:golang/code.gitea.io/gitea

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.26.2

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-cr4g-f395-h25h/GHSA-cr4g-f395-h25h.json"
last_known_affected_version_range 
"<= 1.26.1"