EUVD-2026-4264

Gitea does not properly validate repository ownership when deleting Git LFS locks...

GHSA-393C-QGVJ-3XPH Gitea does not properly validate repository ownership when deleting Git LFS locks

Gitea does not properly validate repository ownership when deleting Git LFS locks. A user with write access to one repository may be able to delete LFS locks belonging to other repositories...

CVE-2026-20897 Gitea Git LFS Lock Deletion Broken Access Control (Cross-Repo IDOR)

Gitea does not properly validate repository ownership when deleting Git LFS locks. A user with write access to one repository may be able to delete LFS locks belonging to other repositories...

CVE-2026-20897

Gitea vulnerability CVE-2026-20897: The system does not properly validate repository ownership when deleting Git LFS locks. A user with write access to one repository may delete LFS locks belonging to other repositories, enabling cross-repo access control issues. Related OSV entry GO-2026-4363 co...

CVE-2026-20897

Gitea does not properly validate repository ownership when deleting Git LFS locks. A user with write access to one repository may be able to delete LFS locks belonging to other repositories...

PT-2026-4292

Name of the Vulnerable Software and Affected Versions Gitea affected versions not specified Description Gitea does not correctly validate repository ownership during the deletion of Git LFS locks. This allows a user with write access to a repository to potentially delete LFS locks that belong to...

Gitea security vulnerabilities

Gitea is a lightweight Git service developed using Go language in the Gitea community. Gitea has a security vulnerability that stems from the improper verification of repository ownership when deleting the Git LFS lock. This vulnerability could allow a user with write permissions to a repository ...

MiracleLinux 9 : git-lfs-3.4.1-2.el9_4 (AXSA:2024-8148:03)

The remote MiracleLinux 9 host has a package installed that is affected by multiple vulnerabilities as referenced in the AXSA:2024-8148:03 advisory. golang: net/http, x/net/http2: unlimited number of CONTINUATION frames causes DoS CVE-2023-45288 golang: net/http/cookiejar: incorrect forwarding of...

MiracleLinux 9 : git-lfs-3.4.1-1.el9 (AXSA:2024-7894:02)

The remote MiracleLinux 9 host has a package installed that is affected by a vulnerability as referenced in the AXSA:2024-7894:02 advisory. golang: net/http, x/net/http2: unlimited number of CONTINUATION frames causes DoS CVE-2023-45288,VU421644.3 Tenable has extracted the preceding description...

MiracleLinux 4 : httpd-2.2.15-45.0.1.AXS4 (AXSA:2015-347:01)

The remote MiracleLinux 4 host has packages installed that are affected by a vulnerability as referenced in the AXSA:2015-347:01 advisory. The Apache HTTP Server is a powerful, efficient, and extensible web server. Security issues fixed with this release: CVE-2013-5704 The modheaders module in th...

RHSA-2026:0472 Red Hat Security Advisory: git-lfs security update

Bulletin has no description...

RHSA-2026:0460 Red Hat Security Advisory: git-lfs security update

Bulletin has no description...

RHSA-2026:0459 Red Hat Security Advisory: git-lfs security update

Bulletin has no description...

RHEL 9 : git-lfs (RHSA-2026:0472)

The remote Redhat Enterprise Linux 9 host has a package installed that is affected by a vulnerability as referenced in the RHSA-2026:0472 advisory. Git Large File Storage LFS replaces large files such as audio samples, videos, datasets, and graphics with text pointers inside Git, while storing th...

RHEL 8 : git-lfs (RHSA-2026:0465)

The remote Redhat Enterprise Linux 8 host has a package installed that is affected by a vulnerability as referenced in the RHSA-2026:0465 advisory. Git Large File Storage LFS replaces large files such as audio samples, videos, datasets, and graphics with text pointers inside Git, while storing th...

git-lfs: Git LFS may write to arbitrary files via crafted symlinks

A flaw was found in Git LFS. Running git lfs checkout and git lfs pull in a specially crafted repository, specifically with symbolic or hard links tracked by Git LFS and pointing to files outside the working tree or in a bare repository, can cause Git LFS to write to arbitrary file system locatio...

Important: Red Hat Security Advisory: git-lfs security update

An update for git-lfs is now available for Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is...

GO-2026-4290 Soft Serve is missing an authorization check in LFS lock deletion in github.com/charmbracelet/soft-serve

Soft Serve is missing an authorization check in LFS lock deletion in github.com/charmbracelet/soft-serve...

git-lfs: Git LFS may write to arbitrary files via crafted symlinks

A flaw was found in Git LFS. Running git lfs checkout and git lfs pull in a specially crafted repository, specifically with symbolic or hard links tracked by Git LFS and pointing to files outside the working tree or in a bare repository, can cause Git LFS to write to arbitrary file system locatio...

Important: Red Hat Security Advisory: git-lfs security update

An update for git-lfs is now available for Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.6 Telecommunications Update Service. Red Hat Product Security has rated this update as...