Skip to main content

Gitea Open Source Git Server EUVDEUVD-2026-41604

| CVE-2026-58421
Improper Access Control (CWE-284)
2026-07-03 Gitea

Lifecycle Timeline

1
CVE Published
Jul 03, 2026 - 20:54 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

Unauthenticated ReDoS via CODEOWNERS pattern matching allows denial of service

Analysis

Unauthenticated ReDoS via CODEOWNERS pattern matching allows denial of service

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-27771 HIGH POC
8.2 Jul 03

Broken access control in Gitea's Composer package registry (versions up to and including 1.26.1) lets remote attackers r

CVE-2026-20896 CRITICAL
9.8 Jul 03

Reverse-proxy authentication bypass in the official Gitea Docker image (versions up to and including 1.26.2) allows any

CVE-2026-58426 CRITICAL
9.6 Jul 03

Cross-repository information disclosure and cross-task tampering in Gitea's self-hosted Git server (fixed in v1.26.2) ar

CVE-2026-22874 CRITICAL
9.6 Jul 03

Server-side request forgery in Gitea versions up to and including 1.26.2 lets authenticated users abuse incomplete allow

CVE-2026-58424 HIGH
8.9 Jul 03

Authorization bypass in Gitea's Gitea Actions fork pull-request approval gate lets a low-privileged contributor permanen

CVE-2026-58423 HIGH
7.7 Jul 03

Authentication bypass in Gitea's Git LFS (Large File Storage) SSH handling allows a low-privileged authenticated user to

CVE-2026-28740 HIGH
7.1 Jul 03

Broken authorization in Gitea (self-hosted Git service) versions up to and including 1.26.2 lets a user who holds genera

CVE-2026-20779 HIGH
7.1 Jul 03

TOTP two-factor authentication replay in Gitea 1.5.0 through 1.26.2 lets a captured valid one-time code be accepted mult

CVE-2026-58418 MEDIUM
6.5 Jul 03

Server-Side Request Forgery (SSRF) via HTTP redirect in Gitea's repository migration feature affects all versions throug

CVE-2026-27761 MEDIUM
4.3 Jul 03

Gitea's repository RSS and Atom feed endpoints fail to enforce API token scope checks, exposing private repository commi

CVE-2026-58422
Jul 03

Improper authorization on OAuth sign-in callback silently re-enables administrator-disabled accounts

CVE-2026-58419
Jul 03

Notification API leaks private issue metadata after access revocation

Share

EUVD-2026-41604 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy