Skip to main content

Gitea CVE-2026-20779

| EUVDEUVD-2026-41613 HIGH
Authentication Bypass by Capture-replay (CWE-294)
2026-07-03 Gitea
7.1
CVSS 3.1 · Vendor: Gitea
Share

Severity by source

Vendor (Gitea) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
vuln.today AI
5.9 MEDIUM

Attacker must capture a live TOTP code and replay it within its short window, so AC:H; no auth needed by attacker (PR:N) but victim must generate a code (UI:R), yielding account takeover (C:H, I:L).

3.1 AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N
4.0 AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Gitea).

CVSS VectorVendor: Gitea

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jul 03, 2026 - 21:53 vuln.today

DescriptionCVE.org

Gitea versions from 1.5.0 before 1.26.3 have a TOTP single-use enforcement defect that allows a valid TOTP code to be accepted more than once across web two-factor authentication flows and the Basic Auth X-Gitea-OTP path.

AnalysisAI

TOTP two-factor authentication replay in Gitea 1.5.0 through 1.26.2 lets a captured valid one-time code be accepted multiple times instead of being invalidated after first use, weakening 2FA on both the web login flow and the Basic Auth X-Gitea-OTP header path. An attacker who observes a legitimate TOTP code (via interception, shoulder-surfing, or logging) can replay it within its validity window to authenticate as the victim. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Capture victim's valid TOTP code
Delivery
Reach Gitea 2FA or X-Gitea-OTP endpoint
Exploit
Replay the same code within window
Execution
Bypass single-use enforcement
Persist
Authenticate as victim
Impact
Access private repositories

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target account has TOTP-based two-factor authentication enabled in Gitea and that the attacker can obtain a currently-valid TOTP code (through interception, logging, phishing relay, or shoulder-surfing) and replay it before its ~30-second time window elapses. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The published CVSS 3.1 score is 7.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N), a network, low-complexity, no-privilege vector with confidentiality high and integrity low. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who can observe a victim's live TOTP code - for example by intercepting a request, reading it from a proxy or application log, or capturing it during a phishing relay - resubmits that same code to Gitea's web 2FA form or via the X-Gitea-OTP header on the Basic Auth endpoint while it is still within its validity window. Because Gitea does not reject the already-used code, the replay succeeds and the attacker completes second-factor authentication as the victim. …
Remediation Vendor-released patch: upgrade to Gitea 1.26.3 (or the later 1.26.4) per the vendor advisory GHSA-gx3v-q759-g323 and release notes at https://blog.gitea.com/release-of-1.26.3-and-1.26.4/; the code fix is in pull request https://github.com/go-gitea/gitea/pull/38151. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all Gitea deployments and identify instances running versions 1.5.0-1.26.2; prioritize internet-accessible systems and repositories containing sensitive source code. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Gitea

View all
CVE-2026-58053 CRITICAL POC
9.4 Jun 28

Container escape in Gitea act_runner (Docker backend, through act 0.262.0) lets an authenticated user with workflow-exec

CVE-2026-27771 HIGH POC
8.2 Jul 03

Broken access control in Gitea's Composer package registry (versions up to and including 1.26.1) lets remote attackers r

CVE-2026-20896 CRITICAL
9.8 Jul 03

Reverse-proxy authentication bypass in the official Gitea Docker image (versions up to and including 1.26.2) allows any

CVE-2026-58426 CRITICAL
9.6 Jul 03

Cross-repository information disclosure and cross-task tampering in Gitea's self-hosted Git server (fixed in v1.26.2) ar

CVE-2026-22874 CRITICAL
9.6 Jul 03

Server-side request forgery in Gitea versions up to and including 1.26.2 lets authenticated users abuse incomplete allow

CVE-2026-58370 CRITICAL
9.2 Jun 30

Approval-gate bypass in Woodpecker CI before 3.15.0 lets an attacker who can open a merge request from a fork against a

CVE-2026-20912 CRITICAL
9.1 Jan 22

Gitea fails to validate repository ownership when linking attachments to releases, allowing users to attach files from o

CVE-2026-20897 CRITICAL
9.1 Jan 22

Gitea fails to validate repository ownership when deleting Git LFS locks, allowing users with write access to one repo t

CVE-2026-20750 CRITICAL
9.1 Jan 22

Gitea does not properly validate project ownership in organization operations, allowing users with project write access

CVE-2026-28737 HIGH
8.7 Jun 17

Stored cross-site scripting in Gitea 1.25.x affects the built-in 3D file viewer (Online3DViewer integration) where a cra

CVE-2026-26231 HIGH
8.5 Jun 16

Authorization bypass in Gitea versions up to and including 1.26.1 allows any authenticated user with mere read access to

CVE-2026-24791 HIGH
8.1 Jun 17

Authorization bypass in Gitea versions 1.22.3 through 1.26.1 allows holders of `public-only` access tokens or OAuth gran

Share

CVE-2026-20779 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy