CVE-2025-68941 – Gitea versions before 1.22.3 contain an authori... (How to Fix)

Q: What is the severity of CVE-2025-68941?

CVE-2025-68941 has a CVSS score of 4.9 (MEDIUM). Gitea versions before 1.22.3 contain an authorization bypass vulnerability where API tokens with scope limited to public resources can improperly access private resources. This affects all Gitea instances running vulnerable versions where users have API tokens with public-only scopes. The vulnerability allows unauthorized access to private repositories or resources.

📋 TL;DR

Gitea versions before 1.22.3 contain an authorization bypass vulnerability where API tokens with scope limited to public resources can improperly access private resources. This affects all Gitea instances running vulnerable versions where users have API tokens with public-only scopes. The vulnerability allows unauthorized access to private repositories or resources.

💻 Affected Systems

Products:

Gitea

Versions: All versions before 1.22.3

Operating Systems: All platforms running Gitea

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects instances where API tokens with public-only scopes exist. Self-hosted Gitea instances are vulnerable by default if using affected versions.

📦 What is this software?

Gitea by Gitea

View all CVEs affecting Gitea →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker with a public-scoped API token could access sensitive private repositories, source code, or configuration files, potentially leading to intellectual property theft or credential exposure.

🟠

Likely Case

Users with legitimate public-scoped API tokens inadvertently gain access to private resources they shouldn't see, violating access controls and potentially exposing sensitive information.

🟢

If Mitigated

With proper network segmentation and API token auditing, impact is limited to unauthorized access within the scope of the compromised token's permissions.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires a valid API token with public-only scope. The vulnerability is in authorization logic, making exploitation straightforward once an attacker obtains such a token.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.22.3

Vendor Advisory: https://blog.gitea.com/release-of-1.22.3/

Restart Required: Yes

Instructions:

1. Backup your Gitea instance and database. 2. Download Gitea 1.22.3 from official releases. 3. Stop Gitea service. 4. Replace the Gitea binary with the new version. 5. Restart Gitea service. 6. Verify the version is now 1.22.3.

🔧 Temporary Workarounds

Revoke all public-scoped API tokens

all

Temporarily mitigate by revoking all API tokens with public-only scopes until patching can be completed.

# Navigate to each user's settings and revoke tokens with public-only scope
# Or use database query: UPDATE access_token SET is_active = false WHERE scope = 'public'

🧯 If You Can't Patch

Implement strict network access controls to limit who can reach the Gitea API endpoints
Regularly audit and rotate all API tokens, especially those with public-only scopes

🔍 How to Verify

Check if Vulnerable:

Check Gitea version via web interface admin panel or run: ./gitea --version

Check Version:

./gitea --version

Verify Fix Applied:

After patching, verify version is 1.22.3 or higher and test that API tokens with public-only scope cannot access private resources.

📡 Detection & Monitoring

Log Indicators:

Unusual API access patterns from tokens with public scope
Access denied errors followed by successful access to private resources

Network Indicators:

API requests to private repository endpoints from tokens with public scope

SIEM Query:

source="gitea.log" AND ("scope=public" AND "private" AND status=200)

📊 Metadata

CVE ID: CVE-2025-68941

CVSS v3 Score: 4.9 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N

CWE: CWE-863

EPSS Score: 0.03% exploit probability (9.3th percentile)

Published: December 26, 2025

Last Updated: January 2, 2026

🔗 References

https://blog.gitea.com/release-of-1.22.3/ Release Notes
https://github.com/go-gitea/gitea/pull/32218 Issue Tracking,Patch
https://github.com/go-gitea/gitea/releases/tag/v1.22.3 Release Notes

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-68941, you might also want to check these: