Zero Day MonitorZDM
DashboardVulnerabilitiesTrendingZero-DaysNewsAbout
Login
ImpressumPrivacy Policy
Zero Day Monitor © 2026
3093 articles · 172043 vulns · 37/41 feeds (7d)
← Back to list
9.1
CVE-2026-26247EXPLOITEDPATCHED
gitea · gitea

Gitea OAuth2 PKCE S256 challenges are not enforced during token exchange

Description

Gitea versions before 1.25.5 do not persist the OAuth2 PKCE S256 challenge method correctly during authorization, allowing token exchange without the expected verifier check.

Affected Products

VendorProductVersions
giteagitea0

Also Affects

Downstream vendors/products affected by this vulnerability

VendorProductSourceConfidence
open sourcegiteacert_advisory90%

References

  • https://github.com/go-gitea/gitea/pull/36462(patch)
  • https://github.com/go-gitea/gitea/pull/36477(patch)
  • https://github.com/go-gitea/gitea/releases/tag/v1.25.5(release-notes)
  • https://blog.gitea.com/release-of-1.25.5/(release-notes)

Related News (2 articles)

Tier B
BSI Advisories1d ago
[UPDATE] [mittel] Gitea: Mehrere Schwachstellen
→ No new info (linked only)
Tier C
VulDB3d ago
CVE-2026-26247 | Gitea up to 1.25.4 access control
→ No new info (linked only)
CVSS 3.19.1 CRITICAL
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CISA KEV❌ No
Actively exploited✅ Yes
Patch available
1.25.5
CWECWE-284
PublishedJul 3, 2026
Last enriched3d agov2
Tags
CVE-2026-26247
Trending Score62
Source articles2
Independent2
Info Completeness8/14
Missing: cvss, epss, kev, exploit, iocs, mitre_attack

Community Vote

0
Login to vote
0 upvotes0 downvotes
No votes yet

Related CVEs (5)

CRITICALCVE-2026-20896EXP
Gitea Docker image trusts spoofable reverse-proxy headers by default
Trending: 90
CRITICALCVE-2026-26292EXP
Gitea LFS mirror synchronization bypasses migration HTTP transport restrictions
Trending: 62
CRITICALCVE-2026-26232EXP
Gitea OAuth2 authorization codes lack expiry and reuse enforcement
Trending: 62
HIGHCVE-2026-27660EXP
Gitea draft releases use insufficient permission checks
Trending: 55
CRITICALCVE-2026-22547
Gitea repository creation accepts invalid field values
Trending: 48

Pin to Dashboard

Verification

State: unverified
Confidence: 0%

Vulnerability Timeline

CVE Published
Jul 3, 2026
Discovered by ZDM
Jul 3, 2026
Updated: severity, activelyExploited, tags
Jul 4, 2026
Actively Exploited
Jul 7, 2026
Patch Available
Jul 7, 2026

Version History

v2
Last enriched 3d ago
v2Tier C3d ago

Updated severity to CRITICAL, marked as actively exploited, and added CVE-2026-26247 tag.

severityactivelyExploitedtags
via VulDB
v14d ago

Initial creation