PatchSiren cyber security CVE debrief
CVE-2026-26292 Gitea CVE debrief
CVE-2026-26292 is a critical vulnerability in Gitea versions before 1.25.5. The issue arises from Gitea not using the migration HTTP transport for LFS push and sync mirror operations, effectively bypassing the configured migration transport protections for those LFS requests. This vulnerability has a CVSS score of 9.8 and is considered CRITICAL. The vulnerability can be exploited remotely without authentication, leading to high impacts on confidentiality, integrity, and availability. Users and administrators of Gitea instances, especially those using versions before 1.25.5, should be aware of this vulnerability and take immediate action to ensure the security of Gitea installations.
- Vendor
- Gitea
- Product
- Gitea Open Source Git Server
- CVSS
- CRITICAL 9.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-03
- Original CVE updated
- 2026-07-07
- Advisory published
- 2026-07-03
- Advisory updated
- 2026-07-07
Who should care
Users and administrators of Gitea instances, especially those using versions before 1.25.5, should be aware of this vulnerability. Given the critical nature of this vulnerability, immediate attention is required to ensure the security of Gitea installations.
Technical summary
The vulnerability is caused by Gitea's failure to utilize the migration HTTP transport for Large File Storage (LFS) push and sync mirror operations. This oversight allows LFS requests to bypass the protections configured for migration transports. The issue affects Gitea versions prior to 1.25.5. The Common Vulnerability Scoring System (CVSS) score for this vulnerability is 9.8, indicating a high severity level. The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, which signifies that the vulnerability can be exploited remotely without authentication, leading to high impacts on confidentiality, integrity, and availability.
Defensive priority
High
Recommended defensive actions
- Upgrade Gitea to version 1.25.5 or later to mitigate the vulnerability.
- Review and adjust the migration transport configurations to ensure they are applied correctly for LFS operations.
- Monitor Gitea instances for any suspicious LFS push and sync mirror operations.
- Implement additional security measures such as restricting access to Gitea instances and enhancing network monitoring.
- Review compensating controls for exposed systems while remediation is scheduled and verified.
- Check relevant monitoring, detection, and logs for exposed assets that need extra review.
- Track exceptions, retest remediated assets, and close the item only after evidence is documented.
Evidence notes
The CVE record was published on 2026-07-03T21:16:58.517Z and was last modified on 2026-07-07T18:16:37.470Z. The NVD entry is currently Deferred. References include the official Gitea release notes for version 1.25.5, as well as pull requests and release tags related to the fix.
Official resources
-
CVE-2026-26292 CVE record
CVE.org
-
CVE-2026-26292 NVD detail
NVD
-
Source item URL
nvd_modified
-
Source reference
88ee5874-cf24-4952-aea0-31affedb7ff2
-
Source reference
88ee5874-cf24-4952-aea0-31affedb7ff2
-
Source reference
88ee5874-cf24-4952-aea0-31affedb7ff2
-
Source reference
88ee5874-cf24-4952-aea0-31affedb7ff2
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-03T21:16:58.517Z and has not been modified since then. The NVD entry is currently Deferred.