Gitea versions before 1.26.0 allow API users to fork a repository into an organization without first passing the CanCreateOrgRepo check, which can expose organization secrets.
Casky was already ahead
This CVE exploits attack patterns that Casky's 0matched skills already investigate — long before this vulnerability was disclosed. Claude's reasoning model maps these techniques to MITRE ATT&CK, so practitioners who ran these skills have already seen the threat behaviour in their findings.
CVE-2026-22555 is a privilege escalation vulnerability in Gitea versions before 1.26.0 that allows API users to fork repositories directly into organizations without triggering the CanCreateOrgRepo authorization check. This flaw is particularly dangerous because it enables attackers to bypass access controls and potentially expose sensitive organization secrets embedded in forked repositories. Any organization using affected Gitea versions is at risk, especially those relying on API automation, CI/CD pipelines, or multi-tenant environments where repository isolation is critical for security.
While this vulnerability does not map directly to MITRE ATT&CK techniques, it represents a classic Improper Access Control pattern (CWE-284) that practitioners can detect through Casky's security skills mapping. Defenders should monitor for API fork operations that bypass expected authorization workflows, unusual repository creation activity within organizations, and access patterns that don't align with user roles or permissions. Casky's Claude-powered analysis would flag API calls to fork endpoints that circumvent standard permission validation chains, helping security teams identify exploitation attempts by correlating permission check failures with successful repository creation in protected organizational contexts.
Composite risk scoring from EPSS, CISA KEV, Shodan, and GreyNoise — 21 security APIs correlated into a single Casky Risk Score. Coming in Casky Pro. Join early access →
Casky has 0 skills that investigate the attack patterns behind CVE-2026-22555. Run one and get CVSS-scored findings in 3 minutes.
Run the skill that detects this →© 2026 Casky.AI, Inc. · AI Security Investigation