Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
Network-reachable feature abused by an authenticated low-priv user (PR:L); scope changes as requests hit other systems (S:C); SSRF primarily leaks internal data (C:H) with limited integrity impact (I:L) and no availability effect.
Primary rating from Vendor (Gitea).
CVSS VectorVendor: Gitea
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
Lifecycle Timeline
1DescriptionCVE.org
Gitea versions up to and including 1.26.2 have incomplete SSRF protection in webhook and migration allow-list filtering.
AnalysisAI
Server-side request forgery in Gitea versions up to and including 1.26.2 lets authenticated users abuse incomplete allow-list filtering in the webhook and repository-migration features to coerce the server into making requests to internal or otherwise restricted network destinations. Because the existing SSRF protection is incomplete rather than absent, attackers can craft addresses that bypass the allow-list checks to reach services that should be unreachable from outside. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated Gitea account (CVSS PR:L) with permission to create a webhook or start a repository migration/mirror - these are the exact features whose allow-list filtering is incomplete. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The supplied CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N, base 9.6) drives the critical score largely through the scope change (S:C) and high confidentiality/integrity impact, reflecting that a successful SSRF reaches systems beyond Gitea's own security authority. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers or uses an existing low-privileged account on an internet-facing Gitea instance, then configures a repository webhook or starts a repository migration pointing at an internal address (e.g. a cloud metadata endpoint or internal service) encoded in a form that slips past the incomplete allow-list check. … |
| Remediation | Vendor-released patch: upgrade to Gitea 1.26.3 or later (1.26.4 is also available per the release blog), which corrects the incomplete allow-list filtering in the webhook and migration code paths per pull requests https://github.com/go-gitea/gitea/pull/38173 and https://github.com/go-gitea/gitea/pull/38059. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Audit and document all users with repository administrator and webhook creation permissions; identify and inventory all internal services accessible from the Gitea server. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Container escape in Gitea act_runner (Docker backend, through act 0.262.0) lets an authenticated user with workflow-exec
Broken access control in Gitea's Composer package registry (versions up to and including 1.26.1) lets remote attackers r
Reverse-proxy authentication bypass in the official Gitea Docker image (versions up to and including 1.26.2) allows any
Cross-repository information disclosure and cross-task tampering in Gitea's self-hosted Git server (fixed in v1.26.2) ar
Approval-gate bypass in Woodpecker CI before 3.15.0 lets an attacker who can open a merge request from a fork against a
Gitea fails to validate repository ownership when linking attachments to releases, allowing users to attach files from o
Gitea fails to validate repository ownership when deleting Git LFS locks, allowing users with write access to one repo t
Gitea does not properly validate project ownership in organization operations, allowing users with project write access
Stored cross-site scripting in Gitea 1.25.x affects the built-in 3D file viewer (Online3DViewer integration) where a cra
Authorization bypass in Gitea versions up to and including 1.26.1 allows any authenticated user with mere read access to
Authorization bypass in Gitea versions 1.22.3 through 1.26.1 allows holders of `public-only` access tokens or OAuth gran
Authorization bypass in Gitea versions prior to 1.26.0 lets a read-only organization member create repositories in the o
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41618