PatchSiren cyber security CVE debrief
CVE-2026-26247 Gitea CVE debrief
Gitea versions before 1.25.5 have a critical vulnerability (CVE-2026-26247) that allows token exchange without the expected verifier check due to incorrect persistence of the OAuth2 PKCE S256 challenge method. This issue affects Gitea instances prior to version 1.25.5. The vulnerability has a CVSS score of 9.1 and is considered critical. Administrators and users of Gitea instances should apply the patch to prevent unauthorized token exchange. The CVE record was published on 2026-07-03T21:16:58.417Z and has not been modified since then. Limited information is available about the vulnerability, and further investigation is necessary to fully understand its impact.
- Vendor
- Gitea
- Product
- Gitea Open Source Git Server
- CVSS
- CRITICAL 9.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-03
- Original CVE updated
- 2026-07-07
- Advisory published
- 2026-07-03
- Advisory updated
- 2026-07-07
Who should care
Administrators and users of Gitea instances prior to version 1.25.5 should apply the patch to prevent unauthorized token exchange. Gitea instance operators, security teams, and vulnerability management teams should review and verify OAuth2 configurations, monitor for suspicious activities, and ensure that Gitea instances are updated to version 1.25.5 or later. Additionally, security teams should review compensating controls for exposed systems while remediation is scheduled and verified.
Technical summary
Gitea versions before 1.25.5 do not persist the OAuth2 PKCE S256 challenge method correctly during authorization, allowing token exchange without the expected verifier check. This critical vulnerability has a CVSS score of 9.1. The issue arises from incorrect implementation of the OAuth2 PKCE S256 challenge method, which enables attackers to bypass the verifier check. Affected Gitea instances should be updated to version 1.25.5 or later to mitigate this vulnerability. Further review of OAuth2 configurations and monitoring for suspicious token exchange activities are recommended.
Defensive priority
High priority should be given to updating Gitea instances to version 1.25.5 or later to mitigate this vulnerability. Review and verify OAuth2 configurations, monitor for suspicious token exchange activities, and ensure that Gitea instances are updated to version 1.25.5 or later.
Recommended defensive actions
- Update Gitea to version 1.25.5 or later
- Review and verify OAuth2 configurations
- Monitor for suspicious token exchange activities
- Review compensating controls for exposed systems
- Check relevant monitoring, detection, and logs for exposed assets
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
Evidence notes
The CVE record and NVD entry provide limited information about the vulnerability. Further investigation and verification are necessary to fully understand the impact and affected scope. Evidence limits suggest focusing on Gitea's OAuth2 PKCE implementation and potential verifier check bypass. Defenders should verify Gitea instance configurations, review OAuth2 settings, and monitor for suspicious activities. Additional research may be required to determine the full extent of affected systems and potential attack vectors.
Official resources
-
CVE-2026-26247 CVE record
CVE.org
-
CVE-2026-26247 NVD detail
NVD
-
Source item URL
nvd_modified
-
Source reference
88ee5874-cf24-4952-aea0-31affedb7ff2
-
Source reference
88ee5874-cf24-4952-aea0-31affedb7ff2
-
Source reference
88ee5874-cf24-4952-aea0-31affedb7ff2
-
Source reference
88ee5874-cf24-4952-aea0-31affedb7ff2
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-03T21:16:58.417Z and has not been modified since then.