CVE-2026-26292

Gitea · Gitea Open Source Git Server

Gitea versions before 1.25.5 fail to use the migration HTTP transport for LFS operations, bypassing configured security protections for push and sync mirror requests.

Executive summary

A critical security gap in Gitea Open Source Git Server allows attackers to bypass LFS transport protections, potentially leading to the interception or manipulation of sensitive data.

Vulnerability

The application fails to utilize the migration HTTP transport for LFS (Large File Storage) push and sync mirror operations. This bypasses established security protections, allowing unauthenticated attackers to potentially intercept or manipulate LFS data transfers through unencrypted channels or weak authentication mechanisms.

Business impact

This vulnerability carries a CVSS score of 9.8, reflecting the ability of an attacker to compromise both data integrity and confidentiality. By manipulating LFS data, an attacker could inject malicious files into repositories or exfiltrate sensitive large assets, leading to severe downstream impacts on software supply chains and organizational data security.

Remediation

Immediate Action: Upgrade to Gitea version 1.25.5 or later to ensure that all LFS operations are correctly routed through the secure migration HTTP transport.

Proactive Monitoring: Review network traffic and server logs for anomalous LFS synchronization activity or unexpected outbound connections from the Git server.

Compensating Controls: Utilize a Web Application Firewall (WAF) to inspect LFS-related HTTP traffic for signs of manipulation until the patch can be fully applied.

Exploitation status

Public Exploit Available: false

Analyst recommendation

This vulnerability presents a significant risk to the integrity of repository assets. Organizations must prioritize the upgrade to version 1.25.5 to close the transport security gap and protect LFS data from unauthorized interception or tampering.