PatchSiren cyber security CVE debrief
CVE-2026-20779 Gitea CVE debrief
CVE-2026-20779 is a HIGH severity vulnerability in Gitea, a self-hosted Git service. Versions from 1.5.0 before 1.26.3 have a defect in the Time-Based One-Time Password (TOTP) single-use enforcement. This defect allows a valid TOTP code, used for two-factor authentication, to be accepted more than once across different authentication flows, including web two-factor authentication and the Basic Auth X-Gitea-OTP path. The vulnerability has a CVSS score of 7.1.
- Vendor
- Gitea
- Product
- Gitea Open Source Git Server
- CVSS
- HIGH 7.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-03
- Original CVE updated
- 2026-07-07
- Advisory published
- 2026-07-03
- Advisory updated
- 2026-07-07
Who should care
Administrators and users of Gitea instances, especially those using two-factor authentication with TOTP, should be aware of this vulnerability. If an attacker gains access to a user's TOTP code, they could exploit this defect to bypass two-factor authentication multiple times.
Technical summary
The TOTP single-use enforcement defect in Gitea allows an attacker to reuse a valid TOTP code more than once. This could happen across different authentication flows, such as web-based two-factor authentication and Basic Auth with X-Gitea-OTP. The vulnerability exists in Gitea versions from 1.5.0 up to but not including 1.26.3. The Common Vulnerabilities and Exposures (CVE) score for this vulnerability is 7.1, classified as HIGH severity.
Defensive priority
High priority should be given to updating Gitea instances to version 1.26.3 or later. In the meantime, additional monitoring and logging of authentication attempts, especially those involving TOTP codes, may help detect potential exploitation attempts.
Recommended defensive actions
- Update Gitea to version 1.26.3 or later
- Review and enhance authentication logging and monitoring
- Consider implementing additional security measures for two-factor authentication
- Confirm whether affected Gitea instances exist in managed environments and assign an owner for follow-up.
- Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance.
- Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed.
- Check relevant monitoring, detection, and logs for exposed assets that need extra review.
Evidence notes
The CVE record was published on 2026-07-03T21:16:56.543Z and was last modified on 2026-07-07T18:16:35.270Z. The NVD entry is currently Deferred. Multiple sources confirm the vulnerability, including the official Gitea release notes and GitHub advisories.
Official resources
-
CVE-2026-20779 CVE record
CVE.org
-
CVE-2026-20779 NVD detail
NVD
-
Source item URL
nvd_modified
-
Source reference
88ee5874-cf24-4952-aea0-31affedb7ff2
-
Source reference
88ee5874-cf24-4952-aea0-31affedb7ff2
-
Source reference
88ee5874-cf24-4952-aea0-31affedb7ff2
-
Source reference
88ee5874-cf24-4952-aea0-31affedb7ff2
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-03T21:16:56.543Z and has not been modified since then. The NVD entry is currently Deferred.