PatchSiren cyber security CVE debrief
CVE-2026-28740 Gitea CVE debrief
CVE-2026-28740 is a high-severity vulnerability in Gitea, a self-hosted Git service. The issue allows Git LFS object reuse to authorize private source objects for users with repository access but lacking Code-unit access. This vulnerability was published on 2026-07-03T21:16:59.890Z and last modified on 2026-07-07T18:16:38.327Z. The vulnerability has significant implications for Gitea users, particularly those with sensitive repositories.
- Vendor
- Gitea
- Product
- Gitea Open Source Git Server
- CVSS
- HIGH 7.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-03
- Original CVE updated
- 2026-07-07
- Advisory published
- 2026-07-03
- Advisory updated
- 2026-07-07
Who should care
Users of Gitea versions up to and including 1.26.2 should be aware of this vulnerability and take necessary actions to protect their repositories. This includes reviewing repository access and Code-unit access permissions, as well as monitoring repository activity for suspicious behavior.
Technical summary
The vulnerability has a CVSS score of 7.1 and is classified as HIGH. It is related to CWE-639 and CWE-863. The CVSS vector is CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N. This technical summary is based on the provided CVE record and NVD details. Gitea versions up to and including 1.26.2 are affected, allowing Git LFS object reuse to authorize private source objects for users with repository access but lacking Code-unit access. Users should review repository access and Code-unit access permissions, as well as monitor repository activity for suspicious behavior. The CVE record was published on 2026-07-03T21:16:59.890Z and last modified on 2026-07-07T18:16:38.327Z.
Defensive priority
High priority should be given to updating Gitea to a version that fixes this vulnerability, as well as reviewing and adjusting repository access and Code-unit access permissions.
Recommended defensive actions
- Update Gitea to a version that fixes this vulnerability
- Review repository access and Code-unit access permissions
- Monitor repository activity for suspicious behavior
- Perform a thorough review of the Gitea deployment to identify potential exposure
- Implement compensating controls for exposed systems while remediation is scheduled and verified
- Track exceptions and retest remediated assets to ensure the vulnerability is fully resolved
Evidence notes
The CVE record was published on 2026-07-03T21:16:59.890Z and last modified on 2026-07-07T18:16:38.327Z. The NVD entry is currently Deferred. This information is based on the provided source corpus. Further verification is recommended to confirm affected scope and severity.
Official resources
-
CVE-2026-28740 CVE record
CVE.org
-
CVE-2026-28740 NVD detail
NVD
-
Source item URL
nvd_modified
-
Source reference
88ee5874-cf24-4952-aea0-31affedb7ff2
-
Source reference
88ee5874-cf24-4952-aea0-31affedb7ff2
-
Source reference
88ee5874-cf24-4952-aea0-31affedb7ff2
-
Source reference
88ee5874-cf24-4952-aea0-31affedb7ff2
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-03T21:16:59.890Z and has not been modified since then. The NVD entry is currently Deferred.