CVE-2026-58421

Gitea · Open Source Git Server

An unauthenticated Regular Expression Denial of Service (ReDoS) vulnerability exists in Gitea's CODEOWNERS pattern matching, allowing attackers to cause excessive resource consumption.

Executive summary

An unauthenticated ReDoS vulnerability in Gitea Open Source Git Server allows remote attackers to trigger a denial of service via crafted CODEOWNERS patterns.

Vulnerability

This is an unauthenticated ReDoS vulnerability affecting the CODEOWNERS pattern matching functionality. By submitting specially crafted patterns, an attacker can exhaust system resources, leading to a denial of service.

Business impact

The CVSS score of 7.5 (High) reflects the potential for significant service disruption. While the vulnerability does not lead to data exfiltration or unauthorized modification, the resulting denial of service can render the Git infrastructure unavailable to developers, stalling CI/CD pipelines and software delivery processes.

Remediation

Immediate Action: Upgrade all Gitea instances to version 1.26.2 or later to apply the necessary patches for pattern matching logic.

Proactive Monitoring: Monitor server CPU and memory utilization patterns for sudden spikes that may indicate attempts to trigger ReDoS conditions.

Compensating Controls: Implement WAF rules to sanitize or block malformed inputs in requests targeting repository configuration files or CODEOWNERS patterns.

Exploitation status

Public Exploit Available: True

Analyst recommendation

The availability of proof-of-concept exploits significantly elevates the risk of this vulnerability being leveraged by malicious actors. Organizations should prioritize updating their Gitea installations to version 1.26.2 immediately to neutralize the threat.