CVE-2026-58426
Gitea · Gitea Open Source Git Server
An HMAC ambiguity in Gitea Actions Artifacts allows cross-repository data reads and cross-task state writes, compromising the integrity and confidentiality of CI/CD pipelines.
Executive summary
A critical vulnerability in Gitea Actions allows attackers to bypass repository boundaries, resulting in unauthorized access to sensitive artifacts and the ability to manipulate CI/CD task states.
Vulnerability
The vulnerability involves an HMAC ambiguity in the V4 signed URLs for Actions Artifacts, which can be exploited by an authenticated user to perform unauthorized read operations across repositories and write operations across tasks.
Business impact
Exploitation of this flaw undermines the security of the entire CI/CD environment. Attackers could steal proprietary source code or build secrets, or inject malicious code into build processes by manipulating task states. The CVSS score of 9.6 highlights the extreme risk to the software supply chain and organizational development integrity.
Remediation
Immediate Action: Update the Gitea instance to the latest version as specified in the vendor's security advisory to address the HMAC validation logic.
Proactive Monitoring: Review CI/CD pipeline logs for unauthorized artifact access or unexpected changes to task statuses.
Compensating Controls: Implement strict repository-level access controls and minimize the use of shared runners where possible to reduce the blast radius of potential exploits.
Exploitation status
Public Exploit Available: No
Analyst recommendation
Given the potential for supply chain compromise, organizations utilizing Gitea Actions must prioritize this patch. Security teams should work closely with DevOps engineers to ensure the update is validated in a non-production environment before full deployment to critical CI/CD infrastructure.