Gitea has insufficient permission checks for Composer package source links
Description
Published by the National Vulnerability Database
Jul 3, 2026
Published to the GitHub Advisory Database
Jul 17, 2026
Reviewed
Jul 17, 2026
Last updated
Jul 17, 2026
CVE Description
Gitea versions up to and including 1.26.1 have insufficient permission checks for Composer package source links, which can expose private or internal package source information.
Summary
A critical vulnerability has been discovered in Gitea. It was already reported via (security@gitea.io) from (dev@noscope.com), and submitted an encrypted report.
References