Zero Day MonitorZDM
DashboardVulnerabilitiesTrendingZero-DaysNewsAbout
Login
ImpressumPrivacy Policy
Zero Day Monitor © 2026
3133 articles · 172057 vulns · 37/41 feeds (7d)
← Back to list
9.8
CVE-2026-26292EXPLOITEDPATCHED
gitea · gitea

Gitea LFS mirror synchronization bypasses migration HTTP transport restrictions

Description

Gitea versions before 1.25.5 do not use the migration HTTP transport for LFS push and sync mirror operations, bypassing the configured migration transport protections for those LFS requests.

Affected Products

VendorProductVersions
giteagitea0

Also Affects

Downstream vendors/products affected by this vulnerability

VendorProductSourceConfidence
open sourcegiteacert_advisory90%

References

  • https://github.com/go-gitea/gitea/pull/36665(patch)
  • https://github.com/go-gitea/gitea/pull/36691(patch)
  • https://github.com/go-gitea/gitea/releases/tag/v1.25.5(release-notes)
  • https://blog.gitea.com/release-of-1.25.5/(release-notes)

Related News (2 articles)

Tier B
BSI Advisories1d ago
[UPDATE] [mittel] Gitea: Mehrere Schwachstellen
→ No new info (linked only)
Tier C
VulDB3d ago
CVE-2026-26292 | Gitea up to 1.25.4 access control
→ No new info (linked only)
CVSS 3.19.8 CRITICAL
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA KEV❌ No
Actively exploited✅ Yes
Patch available
1.25.5
CWECWE-284
PublishedJul 3, 2026
Last enriched3d agov2
Trending Score61
Source articles2
Independent2
Info Completeness8/14
Missing: cvss, epss, kev, exploit, iocs, mitre_attack

Community Vote

0
Login to vote
0 upvotes0 downvotes
No votes yet

Related CVEs (5)

CRITICALCVE-2026-20896EXP
Gitea Docker image trusts spoofable reverse-proxy headers by default
Trending: 90
CRITICALCVE-2026-26247EXP
Gitea OAuth2 PKCE S256 challenges are not enforced during token exchange
Trending: 61
CRITICALCVE-2026-26232EXP
Gitea OAuth2 authorization codes lack expiry and reuse enforcement
Trending: 61
HIGHCVE-2026-27660EXP
Gitea draft releases use insufficient permission checks
Trending: 55
CRITICALCVE-2026-22547
Gitea repository creation accepts invalid field values
Trending: 48

Pin to Dashboard

Verification

State: unverified
Confidence: 0%

Vulnerability Timeline

CVE Published
Jul 3, 2026
Discovered by ZDM
Jul 3, 2026
Updated: severity, affectedVersions, activelyExploited
Jul 4, 2026
Actively Exploited
Jul 7, 2026
Patch Available
Jul 7, 2026

Version History

v2
Last enriched 3d ago
v2Tier C3d ago

Updated severity to CRITICAL, added affected version 1.25.4, and noted that the vulnerability is actively exploited.

severityaffectedVersionsactivelyExploited
via VulDB
v14d ago

Initial creation