Gitea Gitea Open Source Git Server

50 CVEs affecting Gitea Gitea Open Source Git Server. Latest disclosed: 2026-07-03. Critical: 6, High: 11.

Top CVEs affecting Gitea Gitea Open Source Git Server
CVESeverityScorePublishedSummary
CVE-2026-20896Critical9.82026-07-03Gitea Docker image versions up to and including 1.26.2 use REVERSE_PROXY_TRUSTED_PROXIES=* by default, allowing any source IP to impersonate a user when revers…
CVE-2026-58426Critical9.62026-07-03Gitea Actions Artifacts V4 signed URL HMAC ambiguity allows cross-repository artifact read and cross-task upload-state write
CVE-2026-22874Critical9.62026-07-03Gitea versions up to and including 1.26.2 have incomplete SSRF protection in webhook and migration allow-list filtering.
CVE-2026-20912Critical9.12026-01-22Gitea does not properly validate repository ownership when linking attachments to releases. An attachment uploaded to a private repository could potentially be…
CVE-2026-20897Critical9.12026-01-22Gitea does not properly validate repository ownership when deleting Git LFS locks. A user with write access to one repository may be able to delete LFS locks b…
CVE-2026-20750Critical9.12026-01-22Gitea does not properly validate project ownership in organization project operations. A user with project write access in one organization may be able to modi…
CVE-2026-58424High8.92026-07-03Permanent Fork PR Workflow Approval Gate Bypass
CVE-2026-28737High8.72026-07-03Gitea versions from 1.25.0 before 1.26.0 allow stored cross-site scripting through the extensionsRequired field in glTF files rendered by the 3D file viewer.
CVE-2026-26231High8.52026-07-03Gitea versions up to and including 1.26.1 allow the Allow edits from maintainers permission path to authorize commits to repositories that the user can read bu…
CVE-2026-27771High8.22026-07-03Gitea versions up to and including 1.26.1 have insufficient permission checks for Composer package source links, which can expose private or internal package s…
CVE-2026-28744High8.12026-07-03Gitea versions up to and including 1.26.1 allow Git smart HTTP requests authenticated with bearer tokens to bypass repository token scope checks.
CVE-2026-28699High8.12026-07-03Gitea versions up to and including 1.26.1 allow OAuth2 access token scope enforcement to be bypassed through HTTP Basic authentication.
CVE-2026-22555High8.12026-07-03Gitea versions before 1.26.0 allow API users to fork a repository into an organization without first passing the CanCreateOrgRepo check, which can expose organ…
CVE-2026-58423High7.72026-07-03LFS authentication bypass via malformed SSH sub-verb allows unauthorized read access to private repositories
CVE-2026-20736High7.52026-01-22Gitea does not properly verify repository context when deleting attachments. A user who previously uploaded an attachment to a repository may be able to delete…
CVE-2026-28740High7.12026-07-03Gitea versions up to and including 1.26.2 allow Git LFS object reuse to authorize private source objects for users who have repository access but lack Code-uni…
CVE-2026-20779High7.12026-07-03Gitea versions from 1.5.0 before 1.26.3 have a TOTP single-use enforcement defect that allows a valid TOTP code to be accepted more than once across web two-fa…
CVE-2026-58418Medium6.52026-07-03SSRF via HTTP Redirect in Repository Migration
CVE-2026-20904Medium6.52026-01-22Gitea does not properly validate ownership when toggling OpenID URI visibility. An authenticated user may be able to change the visibility settings of other us…
CVE-2026-20883Medium6.52026-01-22Gitea's stopwatch API does not re-validate repository access permissions. After a user's access to a private repository is revoked, they may still view issue t…