Skip to main content

Gitea EUVDEUVD-2026-41643

| CVE-2026-28740 HIGH
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-07-03 Gitea
7.1
CVSS 3.1 · Vendor: Gitea
Share

Severity by source

Vendor (Gitea) PRIMARY
7.1 HIGH
AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N
vuln.today AI
6.3 MEDIUM

Authenticated repo member (PR:L) exploiting LFS reuse over the network (AV:N) with non-trivial mechanics (AC:H); impact is unauthorized read of private source across a permission boundary (S:C, C:H) with no integrity or availability effect.

3.1 AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
4.0 AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Gitea).

CVSS VectorVendor: Gitea

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jul 03, 2026 - 21:03 vuln.today

DescriptionCVE.org

Gitea versions up to and including 1.26.2 allow Git LFS object reuse to authorize private source objects for users who have repository access but lack Code-unit access.

AnalysisAI

Broken authorization in Gitea (self-hosted Git service) versions up to and including 1.26.2 lets a user who holds general repository access but has NOT been granted the Code unit permission read private source content by reusing Git LFS objects to authorize otherwise-restricted source objects. The flaw (CWE-639, tracked as GHSA-2m9v-5q2g-58vq) enables horizontal privilege escalation to confidential code within a repository. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as repo member without Code unit
Delivery
Enumerate LFS object OIDs
Exploit
Request LFS object reuse/authorization
Execution
Bypass Code-unit permission check
Impact
Read private source objects

Vulnerability AssessmentAI

Exploitation Exploitation requires the target repository to use Git LFS and the attacker to already hold a repository access grant on that repository while lacking the Code unit permission - that specific over-provisioned-but-Code-restricted membership state IS the condition. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment This is a moderate, real but not urgent priority. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated Gitea user who was granted limited repository access (for example, Issues or Wiki) but deliberately denied the Code unit crafts LFS object requests that reuse/authorize private source objects, retrieving confidential source content they should not be able to read. Because AC:H applies, the attacker must understand and manipulate the LFS object-reuse mechanism, but no elevated privileges or victim interaction are required. …
Remediation Vendor-released patch: 1.26.3 - upgrade all Gitea instances from any release up to and including 1.26.2 to 1.26.3 (or later, e.g. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Inventory all Gitea instances running version 1.26.2 or earlier. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Gitea

View all
CVE-2026-58053 CRITICAL POC
9.4 Jun 28

Container escape in Gitea act_runner (Docker backend, through act 0.262.0) lets an authenticated user with workflow-exec

CVE-2026-27771 HIGH POC
8.2 Jul 03

Broken access control in Gitea's Composer package registry (versions up to and including 1.26.1) lets remote attackers r

CVE-2026-20896 CRITICAL
9.8 Jul 03

Reverse-proxy authentication bypass in the official Gitea Docker image (versions up to and including 1.26.2) allows any

CVE-2026-58426 CRITICAL
9.6 Jul 03

Cross-repository information disclosure and cross-task tampering in Gitea's self-hosted Git server (fixed in v1.26.2) ar

CVE-2026-22874 CRITICAL
9.6 Jul 03

Server-side request forgery in Gitea versions up to and including 1.26.2 lets authenticated users abuse incomplete allow

CVE-2026-58370 CRITICAL
9.2 Jun 30

Approval-gate bypass in Woodpecker CI before 3.15.0 lets an attacker who can open a merge request from a fork against a

CVE-2026-20912 CRITICAL
9.1 Jan 22

Gitea fails to validate repository ownership when linking attachments to releases, allowing users to attach files from o

CVE-2026-20897 CRITICAL
9.1 Jan 22

Gitea fails to validate repository ownership when deleting Git LFS locks, allowing users with write access to one repo t

CVE-2026-20750 CRITICAL
9.1 Jan 22

Gitea does not properly validate project ownership in organization operations, allowing users with project write access

CVE-2026-28737 HIGH
8.7 Jun 17

Stored cross-site scripting in Gitea 1.25.x affects the built-in 3D file viewer (Online3DViewer integration) where a cra

CVE-2026-26231 HIGH
8.5 Jun 16

Authorization bypass in Gitea versions up to and including 1.26.1 allows any authenticated user with mere read access to

CVE-2026-24791 HIGH
8.1 Jun 17

Authorization bypass in Gitea versions 1.22.3 through 1.26.1 allows holders of `public-only` access tokens or OAuth gran

Share

EUVD-2026-41643 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy