CVE-2026-58422
Gitea · Open Source Git Server
An improper authorization flaw in the OAuth sign-in callback mechanism allows attackers to silently re-enable previously disabled administrator accounts.
Executive summary
A critical authorization bypass in Gitea Open Source Git Server allows attackers to regain access to disabled accounts, posing a severe risk of unauthorized system control.
Vulnerability
This vulnerability involves improper authorization handling during the OAuth sign-in callback process. An attacker can exploit this to silently re-enable accounts that have been explicitly disabled by administrators, effectively bypassing account lockout security policies.
Business impact
With a CVSS score of 9.8 (Critical), this vulnerability represents a severe threat to the integrity and confidentiality of the environment. Successful exploitation allows unauthorized access to potentially privileged accounts, leading to full system compromise, data theft, and loss of control over the Git infrastructure.
Remediation
Immediate Action: Update Gitea to version 1.26.2 or later to address the flaw in the OAuth callback authentication logic.
Proactive Monitoring: Review audit logs for unexpected account reactivations or suspicious OAuth sign-in events, particularly for accounts that were previously marked as disabled.
Compensating Controls: Temporarily disable OAuth provider integration if patching cannot be performed immediately, forcing users to authenticate via standard local credentials.
Exploitation status
Public Exploit Available: True
Analyst recommendation
This is a critical security issue that requires immediate attention. Security teams must ensure all instances are updated to the latest version to prevent unauthorized account access and potential privilege escalation.