PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-28740 Gitea CVE debrief

CVE-2026-28740 is a high-severity vulnerability in Gitea, a self-hosted Git service. The issue allows Git LFS object reuse to authorize private source objects for users with repository access but lacking Code-unit access. This vulnerability was published on 2026-07-03T21:16:59.890Z and last modified on 2026-07-07T18:16:38.327Z. The vulnerability has significant implications for Gitea users, particularly those with sensitive repositories.

Vendor
Gitea
Product
Gitea Open Source Git Server
CVSS
HIGH 7.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-03
Original CVE updated
2026-07-07
Advisory published
2026-07-03
Advisory updated
2026-07-07

Who should care

Users of Gitea versions up to and including 1.26.2 should be aware of this vulnerability and take necessary actions to protect their repositories. This includes reviewing repository access and Code-unit access permissions, as well as monitoring repository activity for suspicious behavior.

Technical summary

The vulnerability has a CVSS score of 7.1 and is classified as HIGH. It is related to CWE-639 and CWE-863. The CVSS vector is CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N. This technical summary is based on the provided CVE record and NVD details. Gitea versions up to and including 1.26.2 are affected, allowing Git LFS object reuse to authorize private source objects for users with repository access but lacking Code-unit access. Users should review repository access and Code-unit access permissions, as well as monitor repository activity for suspicious behavior. The CVE record was published on 2026-07-03T21:16:59.890Z and last modified on 2026-07-07T18:16:38.327Z.

Defensive priority

High priority should be given to updating Gitea to a version that fixes this vulnerability, as well as reviewing and adjusting repository access and Code-unit access permissions.

Recommended defensive actions

  • Update Gitea to a version that fixes this vulnerability
  • Review repository access and Code-unit access permissions
  • Monitor repository activity for suspicious behavior
  • Perform a thorough review of the Gitea deployment to identify potential exposure
  • Implement compensating controls for exposed systems while remediation is scheduled and verified
  • Track exceptions and retest remediated assets to ensure the vulnerability is fully resolved

Evidence notes

The CVE record was published on 2026-07-03T21:16:59.890Z and last modified on 2026-07-07T18:16:38.327Z. The NVD entry is currently Deferred. This information is based on the provided source corpus. Further verification is recommended to confirm affected scope and severity.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-03T21:16:59.890Z and has not been modified since then. The NVD entry is currently Deferred.