Skip to main content

Gitea CVE-2026-22874

| EUVDEUVD-2026-41618 CRITICAL
Server-Side Request Forgery (SSRF) (CWE-918)
2026-07-03 Gitea
9.6
CVSS 3.1 · Vendor: Gitea
Share

Severity by source

Vendor (Gitea) PRIMARY
9.6 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
vuln.today AI
8.5 HIGH

Network-reachable feature abused by an authenticated low-priv user (PR:L); scope changes as requests hit other systems (S:C); SSRF primarily leaks internal data (C:H) with limited integrity impact (I:L) and no availability effect.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Gitea).

CVSS VectorVendor: Gitea

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jul 03, 2026 - 21:52 vuln.today

DescriptionCVE.org

Gitea versions up to and including 1.26.2 have incomplete SSRF protection in webhook and migration allow-list filtering.

AnalysisAI

Server-side request forgery in Gitea versions up to and including 1.26.2 lets authenticated users abuse incomplete allow-list filtering in the webhook and repository-migration features to coerce the server into making requests to internal or otherwise restricted network destinations. Because the existing SSRF protection is incomplete rather than absent, attackers can craft addresses that bypass the allow-list checks to reach services that should be unreachable from outside. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate to Gitea (low-priv account)
Delivery
Configure webhook or migration with crafted internal URL
Exploit
Bypass incomplete allow-list filter
Execution
Server issues request to internal target
Impact
Exfiltrate internal data or pivot

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated Gitea account (CVSS PR:L) with permission to create a webhook or start a repository migration/mirror - these are the exact features whose allow-list filtering is incomplete. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The supplied CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N, base 9.6) drives the critical score largely through the scope change (S:C) and high confidentiality/integrity impact, reflecting that a successful SSRF reaches systems beyond Gitea's own security authority. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers or uses an existing low-privileged account on an internet-facing Gitea instance, then configures a repository webhook or starts a repository migration pointing at an internal address (e.g. a cloud metadata endpoint or internal service) encoded in a form that slips past the incomplete allow-list check. …
Remediation Vendor-released patch: upgrade to Gitea 1.26.3 or later (1.26.4 is also available per the release blog), which corrects the incomplete allow-list filtering in the webhook and migration code paths per pull requests https://github.com/go-gitea/gitea/pull/38173 and https://github.com/go-gitea/gitea/pull/38059. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit and document all users with repository administrator and webhook creation permissions; identify and inventory all internal services accessible from the Gitea server. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Gitea

View all
CVE-2026-58053 CRITICAL POC
9.4 Jun 28

Container escape in Gitea act_runner (Docker backend, through act 0.262.0) lets an authenticated user with workflow-exec

CVE-2026-27771 HIGH POC
8.2 Jul 03

Broken access control in Gitea's Composer package registry (versions up to and including 1.26.1) lets remote attackers r

CVE-2026-20896 CRITICAL
9.8 Jul 03

Reverse-proxy authentication bypass in the official Gitea Docker image (versions up to and including 1.26.2) allows any

CVE-2026-58426 CRITICAL
9.6 Jul 03

Cross-repository information disclosure and cross-task tampering in Gitea's self-hosted Git server (fixed in v1.26.2) ar

CVE-2026-58370 CRITICAL
9.2 Jun 30

Approval-gate bypass in Woodpecker CI before 3.15.0 lets an attacker who can open a merge request from a fork against a

CVE-2026-20912 CRITICAL
9.1 Jan 22

Gitea fails to validate repository ownership when linking attachments to releases, allowing users to attach files from o

CVE-2026-20897 CRITICAL
9.1 Jan 22

Gitea fails to validate repository ownership when deleting Git LFS locks, allowing users with write access to one repo t

CVE-2026-20750 CRITICAL
9.1 Jan 22

Gitea does not properly validate project ownership in organization operations, allowing users with project write access

CVE-2026-28737 HIGH
8.7 Jun 17

Stored cross-site scripting in Gitea 1.25.x affects the built-in 3D file viewer (Online3DViewer integration) where a cra

CVE-2026-26231 HIGH
8.5 Jun 16

Authorization bypass in Gitea versions up to and including 1.26.1 allows any authenticated user with mere read access to

CVE-2026-24791 HIGH
8.1 Jun 17

Authorization bypass in Gitea versions 1.22.3 through 1.26.1 allows holders of `public-only` access tokens or OAuth gran

CVE-2026-22555 HIGH
8.1 Jun 17

Authorization bypass in Gitea versions prior to 1.26.0 lets a read-only organization member create repositories in the o

Share

CVE-2026-22874 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy