Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-28740

Summary
Assigner-Gitea
Assigner Org ID-88ee5874-cf24-4952-aea0-31affedb7ff2
Published At-03 Jul, 2026 | 20:19
Updated At-03 Jul, 2026 | 20:19
Rejected At-
Credits

Gitea LFS object reuse bypasses Code-unit authorization

Gitea versions up to and including 1.26.2 allow Git LFS object reuse to authorize private source objects for users who have repository access but lack Code-unit access.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
â–¼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:Gitea
Assigner Org ID:88ee5874-cf24-4952-aea0-31affedb7ff2
Published At:03 Jul, 2026 | 20:19
Updated At:03 Jul, 2026 | 20:19
Rejected At:
â–¼CVE Numbering Authority (CNA)
Gitea LFS object reuse bypasses Code-unit authorization

Gitea versions up to and including 1.26.2 allow Git LFS object reuse to authorize private source objects for users who have repository access but lack Code-unit access.

Affected Products
Vendor
Gitea
Product
Gitea Open Source Git Server
Default Status
unaffected
Versions
Affected
  • From 0 through 1.26.2 (semver)
Problem Types
TypeCWE IDDescription
CWECWE-639CWE-639
CWECWE-863CWE-863
Type: CWE
CWE ID: CWE-639
Description: CWE-639
Type: CWE
CWE ID: CWE-863
Description: CWE-863
Metrics
VersionBase scoreBase severityVector
3.17.1HIGH
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N
Version: 3.1
Base score: 7.1
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

reporter
m2hcz
Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://github.com/go-gitea/gitea/security/advisories/GHSA-2m9v-5q2g-58vq
vendor-advisory
https://github.com/go-gitea/gitea/pull/38050
patch
https://github.com/go-gitea/gitea/releases/tag/v1.26.3
release-notes
https://blog.gitea.com/release-of-1.26.3-and-1.26.4/
release-notes
Hyperlink: https://github.com/go-gitea/gitea/security/advisories/GHSA-2m9v-5q2g-58vq
Resource:
vendor-advisory
Hyperlink: https://github.com/go-gitea/gitea/pull/38050
Resource:
patch
Hyperlink: https://github.com/go-gitea/gitea/releases/tag/v1.26.3
Resource:
release-notes
Hyperlink: https://blog.gitea.com/release-of-1.26.3-and-1.26.4/
Resource:
release-notes
Information is not available yet
â–¼National Vulnerability Database (NVD)
nvd.nist.gov
Source:88ee5874-cf24-4952-aea0-31affedb7ff2
Published At:03 Jul, 2026 | 21:16
Updated At:03 Jul, 2026 | 21:16

Gitea versions up to and including 1.26.2 allow Git LFS object reuse to authorize private source objects for users who have repository access but lack Code-unit access.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.17.1HIGH
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N
Type: Secondary
Version: 3.1
Base score: 7.1
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N
CPE Matches

Weaknesses
CWE IDTypeSource
CWE-639Secondary88ee5874-cf24-4952-aea0-31affedb7ff2
CWE-863Secondary88ee5874-cf24-4952-aea0-31affedb7ff2
CWE ID: CWE-639
Type: Secondary
Source: 88ee5874-cf24-4952-aea0-31affedb7ff2
CWE ID: CWE-863
Type: Secondary
Source: 88ee5874-cf24-4952-aea0-31affedb7ff2
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://blog.gitea.com/release-of-1.26.3-and-1.26.4/88ee5874-cf24-4952-aea0-31affedb7ff2
N/A
https://github.com/go-gitea/gitea/pull/3805088ee5874-cf24-4952-aea0-31affedb7ff2
N/A
https://github.com/go-gitea/gitea/releases/tag/v1.26.388ee5874-cf24-4952-aea0-31affedb7ff2
N/A
https://github.com/go-gitea/gitea/security/advisories/GHSA-2m9v-5q2g-58vq88ee5874-cf24-4952-aea0-31affedb7ff2
N/A
Hyperlink: https://blog.gitea.com/release-of-1.26.3-and-1.26.4/
Source: 88ee5874-cf24-4952-aea0-31affedb7ff2
Resource: N/A
Hyperlink: https://github.com/go-gitea/gitea/pull/38050
Source: 88ee5874-cf24-4952-aea0-31affedb7ff2
Resource: N/A
Hyperlink: https://github.com/go-gitea/gitea/releases/tag/v1.26.3
Source: 88ee5874-cf24-4952-aea0-31affedb7ff2
Resource: N/A
Hyperlink: https://github.com/go-gitea/gitea/security/advisories/GHSA-2m9v-5q2g-58vq
Source: 88ee5874-cf24-4952-aea0-31affedb7ff2
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

16Records found

CVE-2026-27657
Matching Score-6
Assigner-Gitea Limited
ShareView Details
Matching Score-6
Assigner-Gitea Limited
CVSS Score-Not Assigned
EPSS-Not Assigned
Published-03 Jul, 2026 | 20:19
Updated-03 Jul, 2026 | 21:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Gitea email settings allow changing another user's primary email address

Gitea versions before 1.25.5 allow a user to change another user's primary email address.

Action-Not Available
Vendor-Gitea
Product-Gitea Open Source Git Server
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2026-27780
Matching Score-6
Assigner-Gitea Limited
ShareView Details
Matching Score-6
Assigner-Gitea Limited
CVSS Score-Not Assigned
EPSS-Not Assigned
Published-03 Jul, 2026 | 20:19
Updated-03 Jul, 2026 | 21:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Gitea pre-receive hook can miss branch-protection checks after scanner errors

Gitea versions before 1.26.0 do not fail closed on bufio.Scanner errors while processing pre-receive hook input, allowing oversized input to bypass branch-protection checks.

Action-Not Available
Vendor-Gitea
Product-Gitea Open Source Git Server
CWE ID-CWE-863
Incorrect Authorization
CVE-2026-25782
Matching Score-6
Assigner-Gitea Limited
ShareView Details
Matching Score-6
Assigner-Gitea Limited
CVSS Score-Not Assigned
EPSS-Not Assigned
Published-03 Jul, 2026 | 20:19
Updated-03 Jul, 2026 | 21:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Gitea tracked-time deletion can target entries from another issue

Gitea versions before 1.25.5 look up tracked-time entries by time ID without scoping the lookup to the issue in the request URL, allowing deletion attempts to target entries from another issue.

Action-Not Available
Vendor-Gitea
Product-Gitea Open Source Git Server
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2026-26231
Matching Score-6
Assigner-Gitea Limited
ShareView Details
Matching Score-6
Assigner-Gitea Limited
CVSS Score-8.5||HIGH
EPSS-Not Assigned
Published-03 Jul, 2026 | 20:19
Updated-03 Jul, 2026 | 21:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Gitea maintainer-edit permissions allow unauthorized commits to readable repositories

Gitea versions up to and including 1.26.1 allow the Allow edits from maintainers permission path to authorize commits to repositories that the user can read but should not be able to write.

Action-Not Available
Vendor-Gitea
Product-Gitea Open Source Git Server
CWE ID-CWE-863
Incorrect Authorization
CVE-2026-27761
Matching Score-6
Assigner-Gitea Limited
ShareView Details
Matching Score-6
Assigner-Gitea Limited
CVSS Score-4.3||MEDIUM
EPSS-Not Assigned
Published-03 Jul, 2026 | 20:19
Updated-03 Jul, 2026 | 21:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Gitea repository feeds bypass API token scope enforcement

Gitea versions up to and including 1.26.2 allow repository RSS and Atom feed endpoints to bypass API access token scope checks, exposing private repository commit data to tokens without the required repository scope.

Action-Not Available
Vendor-Gitea
Product-Gitea Open Source Git Server
CWE ID-CWE-863
Incorrect Authorization
CVE-2026-27775
Matching Score-6
Assigner-Gitea Limited
ShareView Details
Matching Score-6
Assigner-Gitea Limited
CVSS Score-Not Assigned
EPSS-Not Assigned
Published-03 Jul, 2026 | 20:19
Updated-03 Jul, 2026 | 21:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Gitea pre-receive hook permission cache allows full repository write access

Gitea 1.25.5 caches a branch-specific write-permission result across multiple refs in one pre-receive hook session, allowing a per-branch maintainer-edit grant to be reused for other refs and escalate to full repository write access.

Action-Not Available
Vendor-Gitea
Product-Gitea Open Source Git Server
CWE ID-CWE-863
Incorrect Authorization
CVE-2026-28699
Matching Score-6
Assigner-Gitea Limited
ShareView Details
Matching Score-6
Assigner-Gitea Limited
CVSS Score-8.1||HIGH
EPSS-Not Assigned
Published-03 Jul, 2026 | 20:19
Updated-03 Jul, 2026 | 21:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Gitea Basic Auth bypasses OAuth2 access token scopes

Gitea versions up to and including 1.26.1 allow OAuth2 access token scope enforcement to be bypassed through HTTP Basic authentication.

Action-Not Available
Vendor-Gitea
Product-Gitea Open Source Git Server
CWE ID-CWE-284
Improper Access Control
CWE ID-CWE-863
Incorrect Authorization
CVE-2026-28744
Matching Score-6
Assigner-Gitea Limited
ShareView Details
Matching Score-6
Assigner-Gitea Limited
CVSS Score-8.1||HIGH
EPSS-Not Assigned
Published-03 Jul, 2026 | 20:19
Updated-03 Jul, 2026 | 21:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Gitea Git smart HTTP bypasses repository token scopes for bearer tokens

Gitea versions up to and including 1.26.1 allow Git smart HTTP requests authenticated with bearer tokens to bypass repository token scope checks.

Action-Not Available
Vendor-Gitea
Product-Gitea Open Source Git Server
CWE ID-CWE-863
Incorrect Authorization
CVE-2026-58424
Matching Score-6
Assigner-Gitea Limited
ShareView Details
Matching Score-6
Assigner-Gitea Limited
CVSS Score-8.9||HIGH
EPSS-Not Assigned
Published-03 Jul, 2026 | 20:54
Updated-03 Jul, 2026 | 21:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Permanent Fork PR Workflow Approval Gate Bypass

Permanent Fork PR Workflow Approval Gate Bypass

Action-Not Available
Vendor-Gitea
Product-Gitea Open Source Git Server
CWE ID-CWE-285
Improper Authorization
CWE ID-CWE-732
Incorrect Permission Assignment for Critical Resource
CWE ID-CWE-863
Incorrect Authorization
CVE-2026-20904
Matching Score-6
Assigner-Gitea Limited
ShareView Details
Matching Score-6
Assigner-Gitea Limited
CVSS Score-6.5||MEDIUM
EPSS-0.28% / 19.54%
||
7 Day CHG~0.00%
Published-22 Jan, 2026 | 22:01
Updated-29 Jan, 2026 | 22:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Gitea: Broken access control in OpenID visibility toggle enables cross-user visibility changes

Gitea does not properly validate ownership when toggling OpenID URI visibility. An authenticated user may be able to change the visibility settings of other users' OpenID identities.

Action-Not Available
Vendor-giteaGitea
Product-giteaGitea Open Source Git Server
CWE ID-CWE-284
Improper Access Control
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2026-20912
Matching Score-6
Assigner-Gitea Limited
ShareView Details
Matching Score-6
Assigner-Gitea Limited
CVSS Score-9.1||CRITICAL
EPSS-0.41% / 33.30%
||
7 Day CHG+0.05%
Published-22 Jan, 2026 | 22:01
Updated-29 Jun, 2026 | 12:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Gitea: Cross-Repository Authorization Bypass via Release Attachment Linking Leads to Private Attachment Disclosure

Gitea does not properly validate repository ownership when linking attachments to releases. An attachment uploaded to a private repository could potentially be linked to a release in a different public repository, making it accessible to unauthorized users.

Action-Not Available
Vendor-giteaGiteaRed Hat, Inc.
Product-giteaGitea Open Source Git ServerOpenShift Pipelines
CWE ID-CWE-283
Unverified Ownership
CWE ID-CWE-284
Improper Access Control
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2026-20897
Matching Score-6
Assigner-Gitea Limited
ShareView Details
Matching Score-6
Assigner-Gitea Limited
CVSS Score-9.1||CRITICAL
EPSS-0.41% / 33.30%
||
7 Day CHG+0.05%
Published-22 Jan, 2026 | 22:01
Updated-29 Jun, 2026 | 12:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Gitea Git LFS Lock Deletion Broken Access Control (Cross-Repo IDOR)

Gitea does not properly validate repository ownership when deleting Git LFS locks. A user with write access to one repository may be able to delete LFS locks belonging to other repositories.

Action-Not Available
Vendor-giteaGiteaRed Hat, Inc.
Product-giteaGitea Open Source Git ServerOpenShift Pipelines
CWE ID-CWE-284
Improper Access Control
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2025-68941
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-4.9||MEDIUM
EPSS-0.24% / 14.79%
||
7 Day CHG~0.00%
Published-26 Dec, 2025 | 02:31
Updated-02 Jan, 2026 | 19:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Gitea before 1.22.3 mishandles access to a private resource upon receiving an API token with scope limited to public resources.

Action-Not Available
Vendor-giteaGitea
Product-giteaGitea
CWE ID-CWE-863
Incorrect Authorization
CVE-2025-68938
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.35% / 26.91%
||
7 Day CHG~0.00%
Published-26 Dec, 2025 | 01:19
Updated-02 Jan, 2026 | 19:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Gitea before 1.25.2 mishandles authorization for deletion of releases.

Action-Not Available
Vendor-giteaGitea
Product-giteaGitea
CWE ID-CWE-863
Incorrect Authorization
CVE-2025-68940
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-3.1||LOW
EPSS-0.25% / 16.30%
||
7 Day CHG~0.00%
Published-26 Dec, 2025 | 02:14
Updated-02 Jan, 2026 | 19:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In Gitea before 1.22.5, branch deletion permissions are not adequately enforced after merging a pull request.

Action-Not Available
Vendor-giteaGitea
Product-giteaGitea
CWE ID-CWE-863
Incorrect Authorization
CVE-2023-28175
Matching Score-4
Assigner-Robert Bosch GmbH
ShareView Details
Matching Score-4
Assigner-Robert Bosch GmbH
CVSS Score-7.1||HIGH
EPSS-0.46% / 36.58%
||
7 Day CHG~0.00%
Published-15 Jun, 2023 | 10:14
Updated-17 Dec, 2024 | 20:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper Authorization in SSH server in Bosch VMS 11.0, 11.1.0, and 11.1.1 allows a remote authenticated user to access resources within the trusted internal network via a port forwarding request.

Action-Not Available
Vendor-Robert Bosch GmbH
Product-divar_ip_5000_firmwaredivar_ip_7000divar_ip_4000divar_ip_7000_r3divar_ip_6000_firmwaredivar_ip_5000divar_ip_7000_firmwaredivar_ip_7000_r2_firmwaredivar_ip_7000_r3_firmwarevideo_management_system_viewerdivar_ip_6000divar_ip_4000_firmwaredivar_ip_3000divar_ip_7000_r2video_management_systemdivar_ip_3000_firmwareBosch DIVAR IP all-in-one 7000 R3Bosch DIVAR IP 7000 R2BVMSBosch DIVAR IP 3000DIVAR IP all-in-one 4000Bosch DIVAR IP all-in-one 5000Bosch DIVAR IP all-in-one 7000Bosch DIVAR IP 7000 R1DIVAR IP all-in-one 6000BVMS Viewer
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-863
Incorrect Authorization
Details not found