Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Network SSH access with a low-privileged account (PR:L), low complexity to craft the malformed sub-verb, scope change crossing the authorization boundary, and read-only exposure of private data (C:H, I/A:N).
Primary rating from Vendor (Gitea).
CVSS VectorVendor: Gitea
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
LFS authentication bypass via malformed SSH sub-verb allows unauthorized read access to private repositories
AnalysisAI
Authentication bypass in Gitea's Git LFS (Large File Storage) SSH handling allows a low-privileged authenticated user to read files from private repositories they should not access by supplying a malformed SSH sub-verb, per the Gitea security advisory GHSA-7wvc-rvp7-w99x. Because the flaw crosses a security boundary (CVSS scope change) it exposes confidential repository contents without any integrity or availability impact. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires (1) a valid low-privileged authenticated Gitea account (CVSS PR:L - not unauthenticated), (2) network SSH access to the Gitea instance's Git-over-SSH endpoint, and (3) the target repositories using Git LFS, since the bypass is in the LFS git-lfs-authenticate SSH sub-verb parsing. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N, base 7.7 High) describes a network-reachable, low-complexity attack requiring only low privileges and no user interaction, yielding high confidentiality impact with a scope change - consistent with a valid low-privileged account reading data outside its authorization boundary. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A user with only a low-privileged account on a shared Gitea instance connects over SSH and issues a git-lfs-authenticate request carrying a malformed sub-verb, causing Gitea to grant an LFS read token for a private repository they are not a member of. They then pull the private repository's LFS-stored objects, exfiltrating source code or secrets. … |
| Remediation | Vendor-released patch: Gitea 1.26.4 - upgrade all instances to 1.26.4 (or later) as documented in the release notes at https://github.com/go-gitea/gitea/releases/tag/v1.26.4 and the announcement at https://blog.gitea.com/release-of-1.26.3-and-1.26.4/, following the advisory at https://github.com/go-gitea/gitea/security/advisories/GHSA-7wvc-rvp7-w99x and PR https://github.com/go-gitea/gitea/pull/38008. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Audit all Gitea deployments to identify versions prior to 1.26.4 and evaluate private repository exposure. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Gitea Open Source Git Server
View allBroken access control in Gitea's Composer package registry (versions up to and including 1.26.1) lets remote attackers r
Reverse-proxy authentication bypass in the official Gitea Docker image (versions up to and including 1.26.2) allows any
Cross-repository information disclosure and cross-task tampering in Gitea's self-hosted Git server (fixed in v1.26.2) ar
Server-side request forgery in Gitea versions up to and including 1.26.2 lets authenticated users abuse incomplete allow
Authorization bypass in Gitea's Gitea Actions fork pull-request approval gate lets a low-privileged contributor permanen
Broken authorization in Gitea (self-hosted Git service) versions up to and including 1.26.2 lets a user who holds genera
TOTP two-factor authentication replay in Gitea 1.5.0 through 1.26.2 lets a captured valid one-time code be accepted mult
Server-Side Request Forgery (SSRF) via HTTP redirect in Gitea's repository migration feature affects all versions throug
Gitea's repository RSS and Atom feed endpoints fail to enforce API token scope checks, exposing private repository commi
Improper authorization on OAuth sign-in callback silently re-enables administrator-disabled accounts
Unauthenticated ReDoS via CODEOWNERS pattern matching allows denial of service
Notification API leaks private issue metadata after access revocation
Same weakness CWE-287 – Improper Authentication
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41606