RLSA-2026:2323 Important: git-lfs security update

Git Large File Storage LFS replaces large files such as audio samples, videos, datasets, and graphics with text pointers inside Git, while storing the file contents on a remote server. Security Fixes: crypto/x509: golang: Denial of Service due to excessive resource consumption via crafted...

Important: Red Hat Security Advisory: git-lfs security update

An update for git-lfs is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from t...

ALSA-2026:2323 Important: git-lfs security update

Git Large File Storage LFS replaces large files such as audio samples, videos, datasets, and graphics with text pointers inside Git, while storing the file contents on a remote server. Security Fixes: crypto/x509: golang: Denial of Service due to excessive resource consumption via crafted...

git-lfs security update

3.4.1-7 - Rebuild with new Golang - Resolves: RHEL-140536...

RHEL 8 : git-lfs (RHSA-2026:2323)

The remote Redhat Enterprise Linux 8 host has a package installed that is affected by a vulnerability as referenced in the RHSA-2026:2323 advisory. Git Large File Storage LFS replaces large files such as audio samples, videos, datasets, and graphics with text pointers inside Git, while storing th...

GO-2026-4363 Gitea does not properly validate repository ownership when deleting Git LFS locks in code.gitea.io/gitea

Gitea does not properly validate repository ownership when deleting Git LFS locks in code.gitea.io/gitea...

BIT-GITEA-2026-20897 Gitea Git LFS Lock Deletion Broken Access Control (Cross-Repo IDOR)

Gitea does not properly validate repository ownership when deleting Git LFS locks. A user with write access to one repository may be able to delete LFS locks belonging to other repositories...

EUVD-2026-4264

Gitea does not properly validate repository ownership when deleting Git LFS locks...

Authorization Bypass Through User-Controlled Key

Overview code.gitea.io/gitea/modules/git is a Go module to access Git through shell commands. Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via improper validation of repository ownership in the delete process for Git LFS locks. An attacker c...

GHSA-393C-QGVJ-3XPH Gitea does not properly validate repository ownership when deleting Git LFS locks

Gitea does not properly validate repository ownership when deleting Git LFS locks. A user with write access to one repository may be able to delete LFS locks belonging to other repositories...

CVE-2026-20897

Gitea does not properly validate repository ownership when deleting Git LFS locks. A user with write access to one repository may be able to delete LFS locks belonging to other repositories...

CVE-2026-20897

Gitea vulnerability CVE-2026-20897: The system does not properly validate repository ownership when deleting Git LFS locks. A user with write access to one repository may delete LFS locks belonging to other repositories, enabling cross-repo access control issues. Related OSV entry GO-2026-4363 co...

PT-2026-4292

Name of the Vulnerable Software and Affected Versions Gitea affected versions not specified Description Gitea does not correctly validate repository ownership during the deletion of Git LFS locks. This allows a user with write access to a repository to potentially delete LFS locks that belong to...

Gitea security vulnerabilities

Gitea is a lightweight Git service developed using Go language in the Gitea community. Gitea has a security vulnerability that stems from the improper verification of repository ownership when deleting the Git LFS lock. This vulnerability could allow a user with write permissions to a repository ...

MiracleLinux 9 : git-lfs-3.4.1-1.el9 (AXSA:2024-7894:02)

The remote MiracleLinux 9 host has a package installed that is affected by a vulnerability as referenced in the AXSA:2024-7894:02 advisory. golang: net/http, x/net/http2: unlimited number of CONTINUATION frames causes DoS CVE-2023-45288,VU421644.3 Tenable has extracted the preceding description...

MiracleLinux 9 : git-lfs-3.4.1-2.el9_4 (AXSA:2024-8148:03)

The remote MiracleLinux 9 host has a package installed that is affected by multiple vulnerabilities as referenced in the AXSA:2024-8148:03 advisory. golang: net/http, x/net/http2: unlimited number of CONTINUATION frames causes DoS CVE-2023-45288 golang: net/http/cookiejar: incorrect forwarding of...

RHSA-2026:0460 Red Hat Security Advisory: git-lfs security update

Bulletin has no description...

Important: Red Hat Security Advisory: git-lfs security update

An update for git-lfs is now available for Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is...

GO-2026-4290 Soft Serve is missing an authorization check in LFS lock deletion in github.com/charmbracelet/soft-serve

Soft Serve is missing an authorization check in LFS lock deletion in github.com/charmbracelet/soft-serve...

git-lfs: Git LFS may write to arbitrary files via crafted symlinks

A flaw was found in Git LFS. Running git lfs checkout and git lfs pull in a specially crafted repository, specifically with symbolic or hard links tracked by Git LFS and pointing to files outside the working tree or in a bare repository, can cause Git LFS to write to arbitrary file system locatio...