Severity by source
AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N
Authenticated repo member (PR:L) exploiting LFS reuse over the network (AV:N) with non-trivial mechanics (AC:H); impact is unauthorized read of private source across a permission boundary (S:C, C:H) with no integrity or availability effect.
Primary rating from Vendor (Gitea).
CVSS VectorVendor: Gitea
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
Gitea versions up to and including 1.26.2 allow Git LFS object reuse to authorize private source objects for users who have repository access but lack Code-unit access.
AnalysisAI
Broken authorization in Gitea (self-hosted Git service) versions up to and including 1.26.2 lets a user who holds general repository access but has NOT been granted the Code unit permission read private source content by reusing Git LFS objects to authorize otherwise-restricted source objects. The flaw (CWE-639, tracked as GHSA-2m9v-5q2g-58vq) enables horizontal privilege escalation to confidential code within a repository. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the target repository to use Git LFS and the attacker to already hold a repository access grant on that repository while lacking the Code unit permission - that specific over-provisioned-but-Code-restricted membership state IS the condition. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | This is a moderate, real but not urgent priority. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated Gitea user who was granted limited repository access (for example, Issues or Wiki) but deliberately denied the Code unit crafts LFS object requests that reuse/authorize private source objects, retrieving confidential source content they should not be able to read. Because AC:H applies, the attacker must understand and manipulate the LFS object-reuse mechanism, but no elevated privileges or victim interaction are required. … |
| Remediation | Vendor-released patch: 1.26.3 - upgrade all Gitea instances from any release up to and including 1.26.2 to 1.26.3 (or later, e.g. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Inventory all Gitea instances running version 1.26.2 or earlier. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Container escape in Gitea act_runner (Docker backend, through act 0.262.0) lets an authenticated user with workflow-exec
Broken access control in Gitea's Composer package registry (versions up to and including 1.26.1) lets remote attackers r
Reverse-proxy authentication bypass in the official Gitea Docker image (versions up to and including 1.26.2) allows any
Cross-repository information disclosure and cross-task tampering in Gitea's self-hosted Git server (fixed in v1.26.2) ar
Server-side request forgery in Gitea versions up to and including 1.26.2 lets authenticated users abuse incomplete allow
Approval-gate bypass in Woodpecker CI before 3.15.0 lets an attacker who can open a merge request from a fork against a
Gitea fails to validate repository ownership when linking attachments to releases, allowing users to attach files from o
Gitea fails to validate repository ownership when deleting Git LFS locks, allowing users with write access to one repo t
Gitea does not properly validate project ownership in organization operations, allowing users with project write access
Stored cross-site scripting in Gitea 1.25.x affects the built-in 3D file viewer (Online3DViewer integration) where a cra
Authorization bypass in Gitea versions up to and including 1.26.1 allows any authenticated user with mere read access to
Authorization bypass in Gitea versions 1.22.3 through 1.26.1 allows holders of `public-only` access tokens or OAuth gran
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41643