CVE-2026-26231: Gitea: Authorization Bypass via "Allow edits from maintainers" allows unauthorized commit…

Summary Any authenticated low-privilege user with read access to a repository can push arbitrary commits directly to that repository, bypassing all write-access checks. Vulnerability Gitea's "Allow edits from maintainer…

8.5CVSS Score

HIGHSeverity

NOCISA KEV

VulnerabilityImpact Type

📋 Vulnerability Details

CVE ID	CVE-2026-26231
Vendor	go
Affected Product	code.gitea.io/gitea
Vulnerability Type	Vulnerability
CVSS Score	8.5 (HIGH)
Actively Exploited	❌ No known exploitation
Patch Status	See Vendor Advisory →
Reported By	CYBERDUDEBIVASH SENTINEL APEX Intelligence (via github_advisories)

🔬 Technical Analysis

Summary Any authenticated low-privilege user with read access to a repository can push arbitrary commits directly to that repository, bypassing all write-access checks.

Vulnerability Gitea's "Allow edits from maintainers" PR option can be abused via reverse-fork PRs: 1. The web UI PR-create endpoint binds `allow_maintainer_edit=true` without verifying that the submitter has write access to the HEAD repository.

2. Gitea allows creating a PR where BASE = attacker's fork and HEAD = upstream target. The attacker is "maintainer" of the BASE (their own fork), so the flag is set against the upstream HEAD. 3. On git push over HTTP/SSH, Gitea relaxes the required access mode to Read when SupportProcReceive is enabled ([routers/web/repo/githttp.go](https://github.com/go-git

🎯 Known Indicators of Compromise

{"type":"url","value":"https://github.com/go-git","confidence_score":0.82,"first_seen":"2026-06-17","source_count":1}

📚 Advisory References

⚡ DETECTION RULES AVAILABLE

Get CVE-2026-26231 Detection Pack

Sigma rules, YARA signatures, IOC table, and SIEM queries for Splunk, Elastic, Sentinel, and Chronicle — deployable in 5 minutes.

✓ Sigma Rules ✓ YARA Pack ✓ IOC Table ✓ SIEM Queries

🛡️ Get Detection Pack → 🔌 Access via API →