GHSA-8629-vc8r-5p58MediumCVSS 4.3
Gitea: Incomplete CVE-2025-68941 fix: /user/orgs missing checkTokenPublicOnly + switch-case logic flaw
🔗 CVE IDs covered (1)
📋 Description
Summary
Two related issues in the token public-only scope enforcement introduced by PR #32204 (CVE-2025-68941 fix). A public-only scoped API token can access private organization data.
Issue 1: /user/orgs missing checkTokenPublicOnly()
routers/api/v1/api.go line 1599:
m.Get("/user/orgs", reqToken(), tokenRequiresScopes(
auth_model.AccessTokenScopeCategoryUser,
auth_model.AccessTokenScopeCategoryOrganization,
), org.ListMyOrgs)
// Missing checkTokenPublicOnly()
Adjacent route at line 1603 has it:
m.Group("/users/{username}/orgs", func() { ... },
..., checkTokenPublicOnly())
Issue 2: checkTokenPublicOnly switch-case evaluates only first matching category
routers/api/v1/api.go lines 253-295. Go switch executes only the first matching case. For routes with categories [User, Organization]:
- Organization case matches first (line 263)
- ctx.Org.Organization is nil on user routes, passes
- ctx.ContextUser.IsOrganization() is false, passes
- User case (line 273) is never reached
- User visibility check skipped entirely
Steps to Reproduce
- Create a token with public-only scope (Settings > Applications > check "public only")
- Call:
curl -H "Authorization: token <PUBLIC_ONLY_TOKEN>" https://gitea.example.com/api/v1/user/orgs - Response includes private and limited-visibility organizations
Expected: only public organizations returned.
Impact
Public-only scoped tokens can enumerate private organizations the token owner belongs to. Violates the token's declared scope constraints.
Suggested Fix
- Add
checkTokenPublicOnly()to/user/orgsroute at line 1599 - Replace switch with loop over all categories so User visibility check is not skipped
Version
Current main branch, commit 2c2d7e6 (April 3, 2026).
🎯 Affected products1
- go/code.gitea.io/gitea:<= 1.26.1