Skip to main content

Gitea CVE-2026-25779

MEDIUM
URL Redirection to Untrusted Site (Open Redirect) (CWE-601)
2026-06-17 https://github.com/go-gitea/gitea GHSA-j5r2-4c8j-xc3m
Gitea Path Traversal Open Redirect
Share

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 18, 2026 - 01:55 vuln.today
Analysis Generated
Jun 18, 2026 - 01:55 vuln.today

DescriptionCVE.org

Details

Despite the validation within urlIsRelative in modules/httplib/url.go, an open redirect is still possible due to usage of directory traversal sequences plus a back-slash in the "redirect_to" parameter.

PoC

When a user uses this URL to login:

https://gitea.com/user/login?redirect_to=/a/../\example.com

They would be redirected to example.com upon a successful login to their gitea account.

Impact

  • Phishing: Attackers can use trusted domain links to redirect victims to credential-harvesting pages
  • OAuth/SSO Token Theft: In authentication flows, authorization codes or tokens may leak via redirect
  • Referer Leakage: Sensitive URL parameters may be exposed to attacker domains via the Referer header
  • Cache Poisoning: In deployments with shared caches, malicious redirects may be cached and served to other users

AnalysisAI

Open redirect in Gitea's login flow allows external domain hijacking by bypassing the urlIsRelative validation in modules/httplib/url.go through a combination of directory traversal sequences and a backslash in the redirect_to parameter. All Gitea instances running version 1.25.4 and below are affected; a working proof-of-concept is publicly available in the GitHub Security Advisory. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-28737 HIGH
8.7 Jun 17

Stored cross-site scripting in Gitea 1.25.x affects the built-in 3D file viewer (Online3DViewer integration) where a cra
CVE-2026-26231 HIGH
8.5 Jun 16

Authorization bypass in Gitea versions up to and including 1.26.1 allows any authenticated user with mere read access to
CVE-2026-28699 HIGH
8.1 Jun 16

OAuth2 scope enforcement bypass in Gitea <= 1.26.1 allows any OAuth2 access token to perform write actions far beyond it
CVE-2026-28744 HIGH
8.1 Jun 16

Authorization scope bypass in Gitea v1.26.1 and earlier allows authenticated users to use OAuth2/PAT Bearer tokens to pe
CVE-2026-24791 HIGH
8.1 Jun 17

Authorization bypass in Gitea versions 1.22.3 through 1.26.1 allows holders of `public-only` access tokens or OAuth gran

Share

CVE-2026-25779 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy