Skip to main content

Gitea Open Source Git Server CVE-2026-58422

| EUVDEUVD-2026-41605
Improper Access Control (CWE-284)
2026-07-03 Gitea

Lifecycle Timeline

1
CVE Published
Jul 03, 2026 - 20:54 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

Improper authorization on OAuth sign-in callback silently re-enables administrator-disabled accounts

Analysis

Improper authorization on OAuth sign-in callback silently re-enables administrator-disabled accounts

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-27771 HIGH POC
8.2 Jul 03

Broken access control in Gitea's Composer package registry (versions up to and including 1.26.1) lets remote attackers r

CVE-2026-20896 CRITICAL
9.8 Jul 03

Reverse-proxy authentication bypass in the official Gitea Docker image (versions up to and including 1.26.2) allows any

CVE-2026-58426 CRITICAL
9.6 Jul 03

Cross-repository information disclosure and cross-task tampering in Gitea's self-hosted Git server (fixed in v1.26.2) ar

CVE-2026-22874 CRITICAL
9.6 Jul 03

Server-side request forgery in Gitea versions up to and including 1.26.2 lets authenticated users abuse incomplete allow

CVE-2026-58424 HIGH
8.9 Jul 03

Authorization bypass in Gitea's Gitea Actions fork pull-request approval gate lets a low-privileged contributor permanen

CVE-2026-58423 HIGH
7.7 Jul 03

Authentication bypass in Gitea's Git LFS (Large File Storage) SSH handling allows a low-privileged authenticated user to

CVE-2026-28740 HIGH
7.1 Jul 03

Broken authorization in Gitea (self-hosted Git service) versions up to and including 1.26.2 lets a user who holds genera

CVE-2026-20779 HIGH
7.1 Jul 03

TOTP two-factor authentication replay in Gitea 1.5.0 through 1.26.2 lets a captured valid one-time code be accepted mult

CVE-2026-58418 MEDIUM
6.5 Jul 03

Server-Side Request Forgery (SSRF) via HTTP redirect in Gitea's repository migration feature affects all versions throug

CVE-2026-27761 MEDIUM
4.3 Jul 03

Gitea's repository RSS and Atom feed endpoints fail to enforce API token scope checks, exposing private repository commi

CVE-2026-58421
Jul 03

Unauthenticated ReDoS via CODEOWNERS pattern matching allows denial of service

CVE-2026-58419
Jul 03

Notification API leaks private issue metadata after access revocation

Share

CVE-2026-58422 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy