Epic: MokoGitea vNext — rebase to Gitea 1.26.4 (security backports) + feature roadmap #762

Open
opened 2026-07-12 20:13:06 +00:00 by jmiller · 0 comments
Owner

Big-picture planning issue for the next MokoGitea version. Two pillars: (1) close the upstream security gap by rebasing onto Gitea 1.26.4, and (2) land the next wave of Moko features. Work happens on the dependent feature branch feat/vnext (off dev), which depends on the current release (#733, live).

Fork is currently based on Gitea 1.26.1 (1.26.1+moko..., prod stable-289).


🔴 Pillar 1 — Upstream security backports (Gitea 1.26.1 -> 1.26.4)

The fork is missing all 1.26.2-1.26.4 security fixes (9 CVEs). Target: rebase/merge upstream Gitea 1.26.4 (1.26.3 shipped a repo-code-pages regression, so 1.26.4 is the floor).

CVE CVSS Vulnerability Fixed
CVE-2026-20896 9.8 ⚠️ ACTIVE EXPLOITATION Reverse-proxy auth bypass: X-WEBAUTH-USER header + wildcard REVERSE_PROXY_TRUSTED_PROXIES impersonates any user (incl. admin) 1.26.3
CVE-2026-22874 9.6 SSRF in webhooks/migrations (missing internal-IP range checks) 1.26.4
CVE-2026-20779 7.1 TOTP replay across web login / reset / Basic-Auth OTP 1.26.3
CVE-2026-28740 7.1 Non-code access authorizes private LFS object reuse 1.26.3/4
CVE-2026-27775 High Branch maintainer escalates to full repo write via pre-receive perm caching 1.26.3/4
CVE-2026-24451 High Fork sync continues after parent repo becomes private 1.26.3/4
GHSA-rjvx-x5h2-6px5 High API fork endpoint bypasses repo-creation authz (org-secret exfil) 1.26.3/4
CVE-2026-27761 4.3 Token scope bypass: RSS/Atom reads private-repo commit data 1.26.3/4
CVE-2026-25038 Medium Private organization labels visible to non-members 1.26.3/4

⚠️ CVE-2026-20896 likely can NOT wait for vNext — 9.8 + actively exploited, and the fork's base (1.26.1) predates the fix. Immediate action: check prod [security] ENABLE_REVERSE_PROXY_AUTHENTICATION + REVERSE_PROXY_TRUSTED_PROXIES in app.ini; if reverse-proxy auth is on with a wildcard/loose trusted-proxy list, hotfix (tighten config and/or cherry-pick the fix) ahead of the full rebase.

Rebase approach: merge go-gitea/gitea v1.26.4 into the fork; resolve conflicts against Moko customizations (org governance #727, licensing, folder wikis, manifest/metadata, org branch-protection layering, RE2/jsonv2 boot fixes); replay the migration chain (fork at migration 368); full dev->rc->main validation before the stable cut.


🟢 Pillar 2 — Feature roadmap (candidate scope from open issues; maintainer confirms cut line)

Access & security: #761 granular (resource-scoped) tokens · #747 dedicated mokogitea-api bot · #746 auto-add actions bot to CI/CD team · #745 org default teams (Protected + bot naming) · #725 dot-prefixed repos always private

Platform / governance: #738 expand OpenAPI + MCP for org-governance · #744 issue templates set first-class fields · #753 platform detection (nodejs->go)

Wiki: #665 CodeMirror editor · #550 full-text wiki search · #549 bulk-migrate flat wikis

UX / product: #719 mobile responsiveness · #723 issue/PR voting · #563/#564 custom-domain + white-label per org · #553 hosted MCP SSE endpoint

Metadata hygiene (parallel track): #759 / #760 client-repo metadata audits


Deliverables

  • NOW: verify + (if needed) hotfix CVE-2026-20896 on prod
  • Rebase fork onto Gitea 1.26.4; resolve conflicts; migrations pass
  • Land the confirmed feature set on feat/vnext
  • Validate dev -> rc -> main; cut the vNext stable release

Sources: Gitea 1.26.3/1.26.4 security releases; CVE-2026-20896 active-exploitation reports.

Big-picture planning issue for the **next MokoGitea version**. Two pillars: (1) close the upstream security gap by rebasing onto **Gitea 1.26.4**, and (2) land the next wave of Moko features. Work happens on the dependent feature branch **`feat/vnext`** (off `dev`), which depends on the current release (#733, live). Fork is currently based on **Gitea 1.26.1** (`1.26.1+moko...`, prod `stable-289`). --- ## 🔴 Pillar 1 — Upstream security backports (Gitea 1.26.1 -> 1.26.4) The fork is missing **all 1.26.2-1.26.4 security fixes (9 CVEs)**. **Target: rebase/merge upstream Gitea 1.26.4** (1.26.3 shipped a repo-code-pages regression, so 1.26.4 is the floor). | CVE | CVSS | Vulnerability | Fixed | |---|---|---|---| | **CVE-2026-20896** | **9.8** ⚠️ **ACTIVE EXPLOITATION** | Reverse-proxy auth bypass: `X-WEBAUTH-USER` header + wildcard `REVERSE_PROXY_TRUSTED_PROXIES` impersonates any user (incl. admin) | 1.26.3 | | CVE-2026-22874 | 9.6 | SSRF in webhooks/migrations (missing internal-IP range checks) | 1.26.4 | | CVE-2026-20779 | 7.1 | TOTP replay across web login / reset / Basic-Auth OTP | 1.26.3 | | CVE-2026-28740 | 7.1 | Non-code access authorizes private LFS object reuse | 1.26.3/4 | | CVE-2026-27775 | High | Branch maintainer escalates to full repo write via pre-receive perm caching | 1.26.3/4 | | CVE-2026-24451 | High | Fork sync continues after parent repo becomes private | 1.26.3/4 | | GHSA-rjvx-x5h2-6px5 | High | API fork endpoint bypasses repo-creation authz (org-secret exfil) | 1.26.3/4 | | CVE-2026-27761 | 4.3 | Token scope bypass: RSS/Atom reads private-repo commit data | 1.26.3/4 | | CVE-2026-25038 | Medium | Private organization labels visible to non-members | 1.26.3/4 | ⚠️ **CVE-2026-20896 likely can NOT wait for vNext** — 9.8 + actively exploited, and the fork's base (1.26.1) predates the fix. **Immediate action:** check prod `[security] ENABLE_REVERSE_PROXY_AUTHENTICATION` + `REVERSE_PROXY_TRUSTED_PROXIES` in app.ini; if reverse-proxy auth is on with a wildcard/loose trusted-proxy list, hotfix (tighten config and/or cherry-pick the fix) ahead of the full rebase. **Rebase approach:** merge `go-gitea/gitea` v1.26.4 into the fork; resolve conflicts against Moko customizations (org governance #727, licensing, folder wikis, manifest/metadata, org branch-protection layering, RE2/jsonv2 boot fixes); replay the migration chain (fork at migration 368); full dev->rc->main validation before the stable cut. --- ## 🟢 Pillar 2 — Feature roadmap (candidate scope from open issues; maintainer confirms cut line) **Access & security:** #761 granular (resource-scoped) tokens · #747 dedicated `mokogitea-api` bot · #746 auto-add actions bot to CI/CD team · #745 org default teams (Protected + bot naming) · #725 dot-prefixed repos always private **Platform / governance:** #738 expand OpenAPI + MCP for org-governance · #744 issue templates set first-class fields · #753 platform detection (nodejs->go) **Wiki:** #665 CodeMirror editor · #550 full-text wiki search · #549 bulk-migrate flat wikis **UX / product:** #719 mobile responsiveness · #723 issue/PR voting · #563/#564 custom-domain + white-label per org · #553 hosted MCP SSE endpoint **Metadata hygiene (parallel track):** #759 / #760 client-repo metadata audits --- ## Deliverables - [ ] **NOW:** verify + (if needed) hotfix CVE-2026-20896 on prod - [ ] Rebase fork onto Gitea 1.26.4; resolve conflicts; migrations pass - [ ] Land the confirmed feature set on `feat/vnext` - [ ] Validate dev -> rc -> main; cut the vNext stable release Sources: Gitea 1.26.3/1.26.4 security releases; CVE-2026-20896 active-exploitation reports.
Sign in to join this conversation.