Gitea versions before 1.25.5 do not persist the OAuth2 PKCE S256 challenge method correctly during authorization, allowing token exchange without the expected verifier check.
| Vendor | Product | Versions |
|---|---|---|
| gitea | gitea | 0 |
Downstream vendors/products affected by this vulnerability
| Vendor | Product | Source | Confidence |
|---|---|---|---|
| open source | gitea | cert_advisory | 90% |
Updated severity to CRITICAL, marked as actively exploited, and added CVE-2026-26247 tag.
Initial creation