Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
An authenticated Actions user (PR:L) exploits a low-complexity network flaw that crosses the repository boundary (S:C) to read private artifacts (C:H) and write cross-task state (I:H); no availability impact.
Primary rating from Vendor (Gitea).
CVSS VectorVendor: Gitea
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
Lifecycle Timeline
1DescriptionCVE.org
Gitea Actions Artifacts V4 signed URL HMAC ambiguity allows cross-repository artifact read and cross-task upload-state write
AnalysisAI
Cross-repository information disclosure and cross-task tampering in Gitea's self-hosted Git server (fixed in v1.26.2) arises from an HMAC signature ambiguity in the Actions Artifacts V4 signed-URL scheme, letting an authenticated low-privilege user reuse a validly signed URL outside its intended repository or task context. An attacker with access to a single Actions task can read private artifacts belonging to other repositories and write upload-state for tasks they do not own, crossing the repository trust boundary (CVSS 9.6, scope-changed). …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The Gitea instance must have Actions enabled and be using the Artifacts V4 API, and the attacker must hold a valid authenticated account able to run or trigger at least one Actions task (PR:L) in order to obtain a validly signed artifact URL as the exploitation primitive. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The signals are largely consistent toward high priority: CVSS 3.1 base 9.6 with AV:N/AC:L/PR:L/UI:N and a scope change (S:C) reflecting the cross-repository boundary crossing, C:H (reading other repos' private artifacts) and I:H (writing cross-task upload state), A:N. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers or already holds a low-privilege account on a shared Gitea instance and triggers a workflow to obtain a legitimately signed Artifacts V4 URL. Exploiting the HMAC ambiguity, they re-scope that signed URL to a victim repository, downloading its private build artifacts (which may contain source, credentials, or secrets) and writing forged upload-state into another team's task. … |
| Remediation | Vendor-released patch: upgrade to Gitea v1.26.2 (https://github.com/go-gitea/gitea/releases/tag/v1.26.2), which corrects the Artifacts V4 signed-URL HMAC validation per the fix in pull request https://github.com/go-gitea/gitea/pull/37707 and advisory GHSA-hg5r-vq93-9fv6. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Inventory all Gitea instances in production; identify which run versions prior to v1.26.2 with Actions enabled; disable Actions if v1.26.2 cannot be deployed within 48 hours. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Jwt Attack
View allAuthentication bypass in SimpleHelp 5.5.15 and prior (plus 6.0 pre-release builds) allows remote unauthenticated attacke
Authentication bypass in Fortinet FortiOS, FortiProxy, and FortiSwitchManager allows unauthenticated remote attackers to
ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. Rated critical severity (CVS
ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. Rated critical severity (CVS
MinIO is a High Performance Object Storage released under GNU Affero General Public License v3.0. Rated high severity (C
JWT authentication bypass in pac4j-jwt before 4.5.9/5.7.9/6.3.3 when processing encrypted JWTs. PoC available.
Remote code execution in UpdraftPlus: WP Backup & Migration Plugin for WordPress (versions ≤1.26.4) allows unauthenticat
Authentication bypass in Authlib (Python OAuth/OpenID Connect library) versions 1.6.5 through 1.6.6 allows remote attack
Denial of service in the Go golang.org/x/crypto/ssh library before version 0.52.0 allows unauthenticated remote attacker
Signed XML message tampering in SAP NetWeaver Application Server ABAP and ABAP Platform allows authenticated low-privile
Authentication bypass in Fortinet FortiWeb 8.0.0, 7.6.0-7.6.4, and 7.4.0-7.4.9 allows unauthenticated remote attackers t
Vasion Print (formerly PrinterLogic) before Virtual Appliance Host 22.0.843 Application 20.0.1923 allows Insufficient Si
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41608