Gitea versions up to and including 1.26.1 allow OAuth2 access token scope enforcement to be bypassed through HTTP Basic authentication.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/28xxx/CVE-2026-28699.json",
"cna_assigner": "Gitea",
"cwe_ids": [
"CWE-284",
"CWE-863"
]
}