Skip to main content

Gitea CVE-2026-58424

| EUVDEUVD-2026-41607 HIGH
Improper Authorization (CWE-285)
2026-07-03 Gitea
8.9
CVSS 3.1 · Vendor: Gitea
Share

Severity by source

Vendor (Gitea) PRIMARY
8.9 HIGH
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:H
vuln.today AI
8.9 HIGH

Network-reachable fork PR needs a low-priv contributor (PR:L) and a maintainer approval action (UI:R); bypass lets untrusted workflow code hit CI runners/secrets (S:C, I:H/A:H, C:L).

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Gitea).

CVSS VectorVendor: Gitea

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jul 03, 2026 - 21:58 vuln.today

DescriptionCVE.org

Permanent Fork PR Workflow Approval Gate Bypass

AnalysisAI

Authorization bypass in Gitea's Gitea Actions fork pull-request approval gate lets a low-privileged contributor permanently defeat the maintainer approval step that normally guards workflow execution on fork PRs, so that after the initial gate is subverted the attacker's workflow code runs against the repository's CI runners and secrets. CVSS is 8.9 (high) with a scope change and high integrity/availability impact; no public exploit has been identified at time of analysis, but a vendor patch (v1.26.4) is available. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Register contributor account and fork repo
Delivery
Open fork PR triggering workflow
Exploit
Maintainer grants initial approval
Execution
Abuse permanent-approval bypass to skip re-approval
Persist
Execute attacker-controlled workflow on CI runner
Impact
Access secrets/tokens, tamper with builds

Vulnerability AssessmentAI

Exploitation Exploitation requires that Gitea Actions is enabled and that the repository accepts fork pull requests gated by the maintainer approval workflow - the exact feature the CVE targets. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:H, base 8.9) indicates a network-reachable, low-complexity attack requiring a low-privileged account (PR:L, i.e. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers a contributor account, forks a target repository hosted on a vulnerable Gitea instance, and opens a pull request; once a maintainer grants the one-time approval for the fork's workflow, the attacker exploits the permanent-approval flaw so that later malicious workflow changes execute without a fresh approval, running attacker-controlled code on the CI runner with access to repository tokens and secrets. No public exploit has been identified at time of analysis, but the network vector and low attack complexity make this straightforward to attempt for anyone able to submit a fork PR.
Remediation Vendor-released patch: v1.26.4 - upgrade Gitea to 1.26.4 or later, per the advisory GHSA-777r-4v59-6486 (https://github.com/go-gitea/gitea/security/advisories/GHSA-777r-4v59-6486) and release notes at https://github.com/go-gitea/gitea/releases/tag/v1.26.4 and https://blog.gitea.com/release-of-1.26.3-and-1.26.4/; the code fix is in PR https://github.com/go-gitea/gitea/pull/38010. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: audit Gitea Actions execution logs for bypassed approval workflows and review fork PR commits for suspicious activity. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-27771 HIGH POC
8.2 Jul 03

Broken access control in Gitea's Composer package registry (versions up to and including 1.26.1) lets remote attackers r

CVE-2026-20896 CRITICAL
9.8 Jul 03

Reverse-proxy authentication bypass in the official Gitea Docker image (versions up to and including 1.26.2) allows any

CVE-2026-58426 CRITICAL
9.6 Jul 03

Cross-repository information disclosure and cross-task tampering in Gitea's self-hosted Git server (fixed in v1.26.2) ar

CVE-2026-22874 CRITICAL
9.6 Jul 03

Server-side request forgery in Gitea versions up to and including 1.26.2 lets authenticated users abuse incomplete allow

CVE-2026-58423 HIGH
7.7 Jul 03

Authentication bypass in Gitea's Git LFS (Large File Storage) SSH handling allows a low-privileged authenticated user to

CVE-2026-28740 HIGH
7.1 Jul 03

Broken authorization in Gitea (self-hosted Git service) versions up to and including 1.26.2 lets a user who holds genera

CVE-2026-20779 HIGH
7.1 Jul 03

TOTP two-factor authentication replay in Gitea 1.5.0 through 1.26.2 lets a captured valid one-time code be accepted mult

CVE-2026-58418 MEDIUM
6.5 Jul 03

Server-Side Request Forgery (SSRF) via HTTP redirect in Gitea's repository migration feature affects all versions throug

CVE-2026-27761 MEDIUM
4.3 Jul 03

Gitea's repository RSS and Atom feed endpoints fail to enforce API token scope checks, exposing private repository commi

CVE-2026-58422
Jul 03

Improper authorization on OAuth sign-in callback silently re-enables administrator-disabled accounts

CVE-2026-58421
Jul 03

Unauthenticated ReDoS via CODEOWNERS pattern matching allows denial of service

CVE-2026-58419
Jul 03

Notification API leaks private issue metadata after access revocation

Share

CVE-2026-58424 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy