CVE-2026-22874

Gitea · Gitea Open Source Git Server

Gitea versions up to 1.26.2 contain a vulnerability involving incomplete SSRF protection within the webhook and migration allow-list filtering mechanisms.

Executive summary

A critical Server-Side Request Forgery (SSRF) vulnerability in Gitea allows unauthorized actors to potentially interact with internal network resources.

Vulnerability

The software fails to properly sanitize input during webhook and migration processes, leading to incomplete SSRF protection. This flaw allows an attacker to bypass allow-list filtering to send unauthorized requests to internal services.

Business impact

The exploitation of this SSRF vulnerability poses a severe risk to internal network security. An attacker could leverage this flaw to perform unauthorized reconnaissance, interact with internal APIs, or access sensitive metadata services, potentially leading to full service compromise. With a CVSS score of 9.6, this vulnerability is critical and requires immediate attention to prevent unauthorized lateral movement within the network.

Remediation

Immediate Action: Upgrade Gitea to the latest patched version provided by the vendor to eliminate the SSRF vector.

Proactive Monitoring: Review web server and application logs for unusual outbound connection attempts originating from the Gitea instance to internal IP addresses or restricted ports.

Compensating Controls: Implement strict egress filtering on the firewall to restrict the Gitea server from reaching internal network segments or unauthorized external endpoints.

Exploitation status

Public Exploit Available: Not specified

Analyst recommendation

Given the critical CVSS score of 9.6, organizations must prioritize the update of all Gitea instances. Failure to address this SSRF vulnerability exposes the internal infrastructure to significant risk; patching is the only definitive way to mitigate this exposure.