PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-26247 Gitea CVE debrief

Gitea versions before 1.25.5 have a critical vulnerability (CVE-2026-26247) that allows token exchange without the expected verifier check due to incorrect persistence of the OAuth2 PKCE S256 challenge method. This issue affects Gitea instances prior to version 1.25.5. The vulnerability has a CVSS score of 9.1 and is considered critical. Administrators and users of Gitea instances should apply the patch to prevent unauthorized token exchange. The CVE record was published on 2026-07-03T21:16:58.417Z and has not been modified since then. Limited information is available about the vulnerability, and further investigation is necessary to fully understand its impact.

Vendor
Gitea
Product
Gitea Open Source Git Server
CVSS
CRITICAL 9.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-03
Original CVE updated
2026-07-07
Advisory published
2026-07-03
Advisory updated
2026-07-07

Who should care

Administrators and users of Gitea instances prior to version 1.25.5 should apply the patch to prevent unauthorized token exchange. Gitea instance operators, security teams, and vulnerability management teams should review and verify OAuth2 configurations, monitor for suspicious activities, and ensure that Gitea instances are updated to version 1.25.5 or later. Additionally, security teams should review compensating controls for exposed systems while remediation is scheduled and verified.

Technical summary

Gitea versions before 1.25.5 do not persist the OAuth2 PKCE S256 challenge method correctly during authorization, allowing token exchange without the expected verifier check. This critical vulnerability has a CVSS score of 9.1. The issue arises from incorrect implementation of the OAuth2 PKCE S256 challenge method, which enables attackers to bypass the verifier check. Affected Gitea instances should be updated to version 1.25.5 or later to mitigate this vulnerability. Further review of OAuth2 configurations and monitoring for suspicious token exchange activities are recommended.

Defensive priority

High priority should be given to updating Gitea instances to version 1.25.5 or later to mitigate this vulnerability. Review and verify OAuth2 configurations, monitor for suspicious token exchange activities, and ensure that Gitea instances are updated to version 1.25.5 or later.

Recommended defensive actions

  • Update Gitea to version 1.25.5 or later
  • Review and verify OAuth2 configurations
  • Monitor for suspicious token exchange activities
  • Review compensating controls for exposed systems
  • Check relevant monitoring, detection, and logs for exposed assets
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up

Evidence notes

The CVE record and NVD entry provide limited information about the vulnerability. Further investigation and verification are necessary to fully understand the impact and affected scope. Evidence limits suggest focusing on Gitea's OAuth2 PKCE implementation and potential verifier check bypass. Defenders should verify Gitea instance configurations, review OAuth2 settings, and monitor for suspicious activities. Additional research may be required to determine the full extent of affected systems and potential attack vectors.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-03T21:16:58.417Z and has not been modified since then.