CVE-2026-27780

Gitea · Gitea Open Source Git Server

Gitea versions before 1.26.0 fail to handle errors correctly during pre-receive hook processing, allowing attackers to bypass branch-protection checks using oversized input.

Executive summary

An authorization bypass vulnerability in Gitea versions prior to 1.26.0 allows attackers to circumvent critical branch-protection security controls.

Vulnerability

This is an incorrect authorization vulnerability (CWE-863) resulting from a failure to close connections or halt processes when a bufio.Scanner error occurs. By providing specifically crafted, oversized input during the pre-receive hook process, an attacker can cause the system to ignore security checks, effectively bypassing branch protections.

Business impact

The ability to bypass branch protections with a CVSS score of 9.8 poses a catastrophic risk to the integrity of the software development lifecycle. Unauthorized code changes can be pushed to protected branches, potentially allowing the introduction of malicious backdoors or unauthorized modifications to production-critical source code.

Remediation

Immediate Action: Upgrade to Gitea version 1.26.0 or higher to ensure proper input validation and error handling for pre-receive hooks.

Proactive Monitoring: Review repository push logs for abnormal activity or attempts to push to protected branches that should have been rejected.

Compensating Controls: Implement strict CI/CD pipeline checks that verify code integrity independently of the Git server's native branch protection mechanisms.

Exploitation status

Public Exploit Available: false

Analyst recommendation

This vulnerability is critical due to the potential for total compromise of repository integrity. Administrators must upgrade to version 1.26.0 or later immediately to restore the effectiveness of branch-protection policies and prevent unauthorized code modifications.