Résumé
Gitea before 1.26.0 is missing a `CanCreateOrgRepo` permission check on its fork API (CVE-2026-22555). A user without permission to create repositories in an organization could fork into it and, in doing so, exfiltrate the organization's secrets. It is a broken-authorization flaw that leaks organization and CI/CD secrets to users who should not have access to them.
Comment le corriger
- Upgrade Gitea to 1.26.0 or later, which enforces the missing repository-creation permission on the fork API.
- Rotate any organization or CI/CD secrets that could have been exposed, and review organization membership and recent fork activity.
Comment l’éviter dans votre code
- Enforce the same permission checks on API endpoints as on the UI; an authorization check forgotten on an API path is a classic broken-access-control bug.
- Scope secrets to the smallest set of repositories and actors that need them, and rotate on any suspected exposure.
- Keep your forge patched and audit who can create or fork repositories in sensitive organizations.
Références
Vulnérabilités liées
Tout Supply chain →- HIGHCVE-2026-52799
Gogs Missing Authorization in Attachment Download
- HIGHCVE-2026-50137
Budibase: POST /api/attachments/:datasourceId/url is unauthenticated and lets anonymous callers mint S3 PUT pre-signed URLs using stored datasource IAM credentials
- MEDIUMCVE-2026-44585
Paymenter has broken object level authorization via service reference manipulation on ticket creation
- MEDIUMCVE-2026-33684
AVideo's Privilege Escalation via Unguarded Permission Parameters in signUp API Allows Self-Granting Upload/Stream/Meet Permissions
- MEDIUMGHSA-h4h3-3rfj-x6fq
SurrealDB: Indexed ORDER BY leaks the value ordering of a SELECT-restricted field
- MEDIUMGHSA-mxjx-28vx-xjjj
Network-AI: ApprovalInbox HTTP server has no authentication — anyone can approve pending agent actions