CVE-2026-26292
Gitea · Gitea Open Source Git Server
Gitea versions before 1.25.5 fail to use the migration HTTP transport for LFS operations, bypassing configured security protections for push and sync mirror requests.
Executive summary
A critical security gap in Gitea Open Source Git Server allows attackers to bypass LFS transport protections, potentially leading to the interception or manipulation of sensitive data.
Vulnerability
The application fails to utilize the migration HTTP transport for LFS (Large File Storage) push and sync mirror operations. This bypasses established security protections, allowing unauthenticated attackers to potentially intercept or manipulate LFS data transfers through unencrypted channels or weak authentication mechanisms.
Business impact
This vulnerability carries a CVSS score of 9.8, reflecting the ability of an attacker to compromise both data integrity and confidentiality. By manipulating LFS data, an attacker could inject malicious files into repositories or exfiltrate sensitive large assets, leading to severe downstream impacts on software supply chains and organizational data security.
Remediation
Immediate Action: Upgrade to Gitea version 1.25.5 or later to ensure that all LFS operations are correctly routed through the secure migration HTTP transport.
Proactive Monitoring: Review network traffic and server logs for anomalous LFS synchronization activity or unexpected outbound connections from the Git server.
Compensating Controls: Utilize a Web Application Firewall (WAF) to inspect LFS-related HTTP traffic for signs of manipulation until the patch can be fully applied.
Exploitation status
Public Exploit Available: false
Analyst recommendation
This vulnerability presents a significant risk to the integrity of repository assets. Organizations must prioritize the upgrade to version 1.25.5 to close the transport security gap and protect LFS data from unauthorized interception or tampering.