CVE-2026-26247
Gitea · Gitea Open Source Git Server
Gitea versions before 1.25.5 fail to correctly persist OAuth2 PKCE S256 challenges, allowing token exchange to proceed without mandatory verifier validation.
Executive summary
A critical security flaw in Gitea Open Source Git Server allows attackers to bypass OAuth2 PKCE verifier checks, weakening the integrity of the authentication process.
Vulnerability
The application fails to correctly persist the PKCE (Proof Key for Code Exchange) S256 challenge method during the authorization flow. This allows an unauthenticated attacker to complete the token exchange process without the required cryptographic verification, undermining the OAuth2 security model.
Business impact
By bypassing PKCE verifiers, attackers can potentially intercept or spoof authorization flows, leading to unauthorized access to user accounts and repository resources. The CVSS score of 9.1 highlights the critical nature of this flaw, as it allows an attacker to subvert core authentication protections, risking the confidentiality and integrity of hosted development environments.
Remediation
Immediate Action: Apply the vendor-provided patch by upgrading Gitea to version 1.25.5 or later immediately.
Proactive Monitoring: Monitor access logs for unusual OAuth2 token exchange requests that do not follow standard flow patterns.
Compensating Controls: Ensure that TLS is strictly enforced for all OAuth2 callback endpoints to minimize the window for interception while the upgrade is being deployed.
Exploitation status
Public Exploit Available: false
Analyst recommendation
Given the potential for unauthorized access, administrators must treat this as a high-priority update. Upgrading to version 1.25.5 is the only effective way to restore the integrity of the OAuth2 authentication process and prevent potential account compromise.