Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
Attacker must capture a live TOTP code and replay it within its short window, so AC:H; no auth needed by attacker (PR:N) but victim must generate a code (UI:R), yielding account takeover (C:H, I:L).
Primary rating from Vendor (Gitea).
CVSS VectorVendor: Gitea
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
Gitea versions from 1.5.0 before 1.26.3 have a TOTP single-use enforcement defect that allows a valid TOTP code to be accepted more than once across web two-factor authentication flows and the Basic Auth X-Gitea-OTP path.
AnalysisAI
TOTP two-factor authentication replay in Gitea 1.5.0 through 1.26.2 lets a captured valid one-time code be accepted multiple times instead of being invalidated after first use, weakening 2FA on both the web login flow and the Basic Auth X-Gitea-OTP header path. An attacker who observes a legitimate TOTP code (via interception, shoulder-surfing, or logging) can replay it within its validity window to authenticate as the victim. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the target account has TOTP-based two-factor authentication enabled in Gitea and that the attacker can obtain a currently-valid TOTP code (through interception, logging, phishing relay, or shoulder-surfing) and replay it before its ~30-second time window elapses. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The published CVSS 3.1 score is 7.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N), a network, low-complexity, no-privilege vector with confidentiality high and integrity low. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who can observe a victim's live TOTP code - for example by intercepting a request, reading it from a proxy or application log, or capturing it during a phishing relay - resubmits that same code to Gitea's web 2FA form or via the X-Gitea-OTP header on the Basic Auth endpoint while it is still within its validity window. Because Gitea does not reject the already-used code, the replay succeeds and the attacker completes second-factor authentication as the victim. … |
| Remediation | Vendor-released patch: upgrade to Gitea 1.26.3 (or the later 1.26.4) per the vendor advisory GHSA-gx3v-q759-g323 and release notes at https://blog.gitea.com/release-of-1.26.3-and-1.26.4/; the code fix is in pull request https://github.com/go-gitea/gitea/pull/38151. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all Gitea deployments and identify instances running versions 1.5.0-1.26.2; prioritize internet-accessible systems and repositories containing sensitive source code. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Container escape in Gitea act_runner (Docker backend, through act 0.262.0) lets an authenticated user with workflow-exec
Broken access control in Gitea's Composer package registry (versions up to and including 1.26.1) lets remote attackers r
Reverse-proxy authentication bypass in the official Gitea Docker image (versions up to and including 1.26.2) allows any
Cross-repository information disclosure and cross-task tampering in Gitea's self-hosted Git server (fixed in v1.26.2) ar
Server-side request forgery in Gitea versions up to and including 1.26.2 lets authenticated users abuse incomplete allow
Approval-gate bypass in Woodpecker CI before 3.15.0 lets an attacker who can open a merge request from a fork against a
Gitea fails to validate repository ownership when linking attachments to releases, allowing users to attach files from o
Gitea fails to validate repository ownership when deleting Git LFS locks, allowing users with write access to one repo t
Gitea does not properly validate project ownership in organization operations, allowing users with project write access
Stored cross-site scripting in Gitea 1.25.x affects the built-in 3D file viewer (Online3DViewer integration) where a cra
Authorization bypass in Gitea versions up to and including 1.26.1 allows any authenticated user with mere read access to
Authorization bypass in Gitea versions 1.22.3 through 1.26.1 allows holders of `public-only` access tokens or OAuth gran
Same weakness CWE-294 – Authentication Bypass by Capture-replay
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41613