Gitea Gitea Open Source Git Server
50 CVEs affecting Gitea Gitea Open Source Git Server. Latest disclosed: 2026-07-03. Critical: 6, High: 11.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2026-20896 | Critical | 9.8 | 2026-07-03 | Gitea Docker image versions up to and including 1.26.2 use REVERSE_PROXY_TRUSTED_PROXIES=* by default, allowing any source IP to impersonate a user when revers… |
CVE-2026-58426 | Critical | 9.6 | 2026-07-03 | Gitea Actions Artifacts V4 signed URL HMAC ambiguity allows cross-repository artifact read and cross-task upload-state write |
CVE-2026-22874 | Critical | 9.6 | 2026-07-03 | Gitea versions up to and including 1.26.2 have incomplete SSRF protection in webhook and migration allow-list filtering. |
CVE-2026-20912 | Critical | 9.1 | 2026-01-22 | Gitea does not properly validate repository ownership when linking attachments to releases. An attachment uploaded to a private repository could potentially be… |
CVE-2026-20897 | Critical | 9.1 | 2026-01-22 | Gitea does not properly validate repository ownership when deleting Git LFS locks. A user with write access to one repository may be able to delete LFS locks b… |
CVE-2026-20750 | Critical | 9.1 | 2026-01-22 | Gitea does not properly validate project ownership in organization project operations. A user with project write access in one organization may be able to modi… |
CVE-2026-58424 | High | 8.9 | 2026-07-03 | Permanent Fork PR Workflow Approval Gate Bypass |
CVE-2026-28737 | High | 8.7 | 2026-07-03 | Gitea versions from 1.25.0 before 1.26.0 allow stored cross-site scripting through the extensionsRequired field in glTF files rendered by the 3D file viewer. |
CVE-2026-26231 | High | 8.5 | 2026-07-03 | Gitea versions up to and including 1.26.1 allow the Allow edits from maintainers permission path to authorize commits to repositories that the user can read bu… |
CVE-2026-27771 | High | 8.2 | 2026-07-03 | Gitea versions up to and including 1.26.1 have insufficient permission checks for Composer package source links, which can expose private or internal package s… |
CVE-2026-28744 | High | 8.1 | 2026-07-03 | Gitea versions up to and including 1.26.1 allow Git smart HTTP requests authenticated with bearer tokens to bypass repository token scope checks. |
CVE-2026-28699 | High | 8.1 | 2026-07-03 | Gitea versions up to and including 1.26.1 allow OAuth2 access token scope enforcement to be bypassed through HTTP Basic authentication. |
CVE-2026-22555 | High | 8.1 | 2026-07-03 | Gitea versions before 1.26.0 allow API users to fork a repository into an organization without first passing the CanCreateOrgRepo check, which can expose organ… |
CVE-2026-58423 | High | 7.7 | 2026-07-03 | LFS authentication bypass via malformed SSH sub-verb allows unauthorized read access to private repositories |
CVE-2026-20736 | High | 7.5 | 2026-01-22 | Gitea does not properly verify repository context when deleting attachments. A user who previously uploaded an attachment to a repository may be able to delete… |
CVE-2026-28740 | High | 7.1 | 2026-07-03 | Gitea versions up to and including 1.26.2 allow Git LFS object reuse to authorize private source objects for users who have repository access but lack Code-uni… |
CVE-2026-20779 | High | 7.1 | 2026-07-03 | Gitea versions from 1.5.0 before 1.26.3 have a TOTP single-use enforcement defect that allows a valid TOTP code to be accepted more than once across web two-fa… |
CVE-2026-58418 | Medium | 6.5 | 2026-07-03 | SSRF via HTTP Redirect in Repository Migration |
CVE-2026-20904 | Medium | 6.5 | 2026-01-22 | Gitea does not properly validate ownership when toggling OpenID URI visibility. An authenticated user may be able to change the visibility settings of other us… |
CVE-2026-20883 | Medium | 6.5 | 2026-01-22 | Gitea's stopwatch API does not re-validate repository access permissions. After a user's access to a private repository is revoked, they may still view issue t… |