CVE-2026-26232

Gitea · Gitea Open Source Git Server

Gitea versions before 1.25.5 fail to properly enforce OAuth2 authorization code expiry and single-use requirements, allowing attackers to replay codes to bypass authentication.

Executive summary

A critical authentication bypass vulnerability in Gitea Open Source Git Server allows unauthenticated attackers to hijack sessions by replaying captured OAuth2 authorization codes.

Vulnerability

This vulnerability involves improper enforcement of OAuth2 authorization state, where captured codes are not invalidated after use. An unauthenticated attacker can exploit this flaw to perform a replay attack, effectively bypassing authentication mechanisms.

Business impact

Successful exploitation of this vulnerability allows unauthorized access to the Git server, potentially exposing sensitive source code, intellectual property, and internal project data. With a CVSS score of 9.1, this represents a critical risk to business operations, as it permits full account takeover without requiring valid credentials.

Remediation

Immediate Action: Upgrade all Gitea instances to version 1.25.5 or later, as this release contains the necessary security logic to enforce single-use OAuth2 codes.

Proactive Monitoring: Review authentication and OAuth2 callback logs for anomalous patterns, such as multiple identical authorization exchanges occurring within a short timeframe.

Compensating Controls: Implement strict network access controls to limit exposure of the Gitea interface to trusted networks while the upgrade process is scheduled.

Exploitation status

Public Exploit Available: false

Analyst recommendation

The severity of this flaw necessitates immediate attention. Organizations utilizing Gitea for repository management should prioritize the update to version 1.25.5 to eliminate the risk of session hijacking and unauthorized repository access.