Skip to main content

Gitea CVE-2026-58423

| EUVDEUVD-2026-41606 HIGH
Improper Authentication (CWE-287)
2026-07-03 Gitea
7.7
CVSS 3.1 · Vendor: Gitea
Share

Severity by source

Vendor (Gitea) PRIMARY
7.7 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
vuln.today AI
7.7 HIGH

Network SSH access with a low-privileged account (PR:L), low complexity to craft the malformed sub-verb, scope change crossing the authorization boundary, and read-only exposure of private data (C:H, I/A:N).

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Gitea).

CVSS VectorVendor: Gitea

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jul 03, 2026 - 21:54 vuln.today

DescriptionCVE.org

LFS authentication bypass via malformed SSH sub-verb allows unauthorized read access to private repositories

AnalysisAI

Authentication bypass in Gitea's Git LFS (Large File Storage) SSH handling allows a low-privileged authenticated user to read files from private repositories they should not access by supplying a malformed SSH sub-verb, per the Gitea security advisory GHSA-7wvc-rvp7-w99x. Because the flaw crosses a security boundary (CVSS scope change) it exposes confidential repository contents without any integrity or availability impact. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate to Gitea SSH with low-priv account
Delivery
Send git-lfs-authenticate with malformed sub-verb
Exploit
Bypass repository authorization check
Execution
Obtain LFS read token for private repo
Impact
Exfiltrate private LFS objects

Vulnerability AssessmentAI

Exploitation Exploitation requires (1) a valid low-privileged authenticated Gitea account (CVSS PR:L - not unauthenticated), (2) network SSH access to the Gitea instance's Git-over-SSH endpoint, and (3) the target repositories using Git LFS, since the bypass is in the LFS git-lfs-authenticate SSH sub-verb parsing. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N, base 7.7 High) describes a network-reachable, low-complexity attack requiring only low privileges and no user interaction, yielding high confidentiality impact with a scope change - consistent with a valid low-privileged account reading data outside its authorization boundary. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A user with only a low-privileged account on a shared Gitea instance connects over SSH and issues a git-lfs-authenticate request carrying a malformed sub-verb, causing Gitea to grant an LFS read token for a private repository they are not a member of. They then pull the private repository's LFS-stored objects, exfiltrating source code or secrets. …
Remediation Vendor-released patch: Gitea 1.26.4 - upgrade all instances to 1.26.4 (or later) as documented in the release notes at https://github.com/go-gitea/gitea/releases/tag/v1.26.4 and the announcement at https://blog.gitea.com/release-of-1.26.3-and-1.26.4/, following the advisory at https://github.com/go-gitea/gitea/security/advisories/GHSA-7wvc-rvp7-w99x and PR https://github.com/go-gitea/gitea/pull/38008. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit all Gitea deployments to identify versions prior to 1.26.4 and evaluate private repository exposure. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-27771 HIGH POC
8.2 Jul 03

Broken access control in Gitea's Composer package registry (versions up to and including 1.26.1) lets remote attackers r

CVE-2026-20896 CRITICAL
9.8 Jul 03

Reverse-proxy authentication bypass in the official Gitea Docker image (versions up to and including 1.26.2) allows any

CVE-2026-58426 CRITICAL
9.6 Jul 03

Cross-repository information disclosure and cross-task tampering in Gitea's self-hosted Git server (fixed in v1.26.2) ar

CVE-2026-22874 CRITICAL
9.6 Jul 03

Server-side request forgery in Gitea versions up to and including 1.26.2 lets authenticated users abuse incomplete allow

CVE-2026-58424 HIGH
8.9 Jul 03

Authorization bypass in Gitea's Gitea Actions fork pull-request approval gate lets a low-privileged contributor permanen

CVE-2026-28740 HIGH
7.1 Jul 03

Broken authorization in Gitea (self-hosted Git service) versions up to and including 1.26.2 lets a user who holds genera

CVE-2026-20779 HIGH
7.1 Jul 03

TOTP two-factor authentication replay in Gitea 1.5.0 through 1.26.2 lets a captured valid one-time code be accepted mult

CVE-2026-58418 MEDIUM
6.5 Jul 03

Server-Side Request Forgery (SSRF) via HTTP redirect in Gitea's repository migration feature affects all versions throug

CVE-2026-27761 MEDIUM
4.3 Jul 03

Gitea's repository RSS and Atom feed endpoints fail to enforce API token scope checks, exposing private repository commi

CVE-2026-58422
Jul 03

Improper authorization on OAuth sign-in callback silently re-enables administrator-disabled accounts

CVE-2026-58421
Jul 03

Unauthenticated ReDoS via CODEOWNERS pattern matching allows denial of service

CVE-2026-58419
Jul 03

Notification API leaks private issue metadata after access revocation

Share

CVE-2026-58423 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy