Skip to main content

Gitea CVE-2026-58418

| EUVDEUVD-2026-41602 MEDIUM
Server-Side Request Forgery (SSRF) (CWE-918)
2026-07-03 Gitea
6.5
CVSS 3.1 · Vendor: Gitea
Share

Severity by source

Vendor (Gitea) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
6.5 MEDIUM

Migration feature is network-accessible and requires a low-privilege authenticated account (PR:L); SSRF yields internal data read only (C:H, I:N, A:N) with no scope change.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Gitea).

CVSS VectorVendor: Gitea

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jul 03, 2026 - 22:14 vuln.today

DescriptionCVE.org

SSRF via HTTP Redirect in Repository Migration

AnalysisAI

Server-Side Request Forgery (SSRF) via HTTP redirect in Gitea's repository migration feature affects all versions through 1.25.4, allowing an authenticated attacker to coerce the Gitea server into issuing HTTP requests to arbitrary internal network destinations by supplying a crafted migration URL that redirects to an internal address. The CVSS score of 6.5 (C:H) reflects that successful exploitation can expose sensitive internal service responses - including cloud metadata endpoints, internal APIs, or other intranet services - to the attacker. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate to Gitea with low-privilege account
Delivery
Navigate to repository migration feature
Exploit
Submit crafted migration URL pointing to attacker-controlled server
Execution
Attacker server issues HTTP redirect to internal target (e.g., metadata endpoint)
Persist
Gitea server follows redirect without validation
Impact
Internal service response returned to attacker

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid Gitea user account with permission to use the repository migration feature (CVSS PR:L - low-privilege authenticated access). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N indicates network-reachable exploitation with low complexity, but critically requires a valid authenticated user account (PR:L), which meaningfully narrows the realistic attacker population compared to unauthenticated SSRF. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with a low-privilege Gitea account navigates to the repository migration interface and submits a migration URL pointing to an attacker-controlled server. That server responds with an HTTP 301 redirect targeting an internal address, such as the AWS EC2 instance metadata service at http://169.254.169.254/latest/meta-data/ or an internal Kubernetes API endpoint. …
Remediation Upgrade to Gitea v1.26.3 or v1.26.4, both of which contain the fix per the vendor release announcements at https://github.com/go-gitea/gitea/releases/tag/v1.26.4 and https://blog.gitea.com/release-of-1.26.3-and-1.26.4/. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-27771 HIGH POC
8.2 Jul 03

Broken access control in Gitea's Composer package registry (versions up to and including 1.26.1) lets remote attackers r

CVE-2026-20896 CRITICAL
9.8 Jul 03

Reverse-proxy authentication bypass in the official Gitea Docker image (versions up to and including 1.26.2) allows any

CVE-2026-58426 CRITICAL
9.6 Jul 03

Cross-repository information disclosure and cross-task tampering in Gitea's self-hosted Git server (fixed in v1.26.2) ar

CVE-2026-22874 CRITICAL
9.6 Jul 03

Server-side request forgery in Gitea versions up to and including 1.26.2 lets authenticated users abuse incomplete allow

CVE-2026-58424 HIGH
8.9 Jul 03

Authorization bypass in Gitea's Gitea Actions fork pull-request approval gate lets a low-privileged contributor permanen

CVE-2026-58423 HIGH
7.7 Jul 03

Authentication bypass in Gitea's Git LFS (Large File Storage) SSH handling allows a low-privileged authenticated user to

CVE-2026-28740 HIGH
7.1 Jul 03

Broken authorization in Gitea (self-hosted Git service) versions up to and including 1.26.2 lets a user who holds genera

CVE-2026-20779 HIGH
7.1 Jul 03

TOTP two-factor authentication replay in Gitea 1.5.0 through 1.26.2 lets a captured valid one-time code be accepted mult

CVE-2026-27761 MEDIUM
4.3 Jul 03

Gitea's repository RSS and Atom feed endpoints fail to enforce API token scope checks, exposing private repository commi

CVE-2026-58422
Jul 03

Improper authorization on OAuth sign-in callback silently re-enables administrator-disabled accounts

CVE-2026-58421
Jul 03

Unauthenticated ReDoS via CODEOWNERS pattern matching allows denial of service

CVE-2026-58419
Jul 03

Notification API leaks private issue metadata after access revocation

Share

CVE-2026-58418 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy