3 matches found
CVE-2026-58426
The CVE-2026-58426 affects Gitea, specifically the Actions Artifacts V4 signed URL mechanism, where an HMAC ambiguity enables cross-repository artifact read and cross-task upload-state write. The vulnerability stems from how signed URLs are validated, allowing unauthorized access across repositor...
CVE-2026-20897
Gitea vulnerability CVE-2026-20897: The system does not properly validate repository ownership when deleting Git LFS locks. A user with write access to one repository may delete LFS locks belonging to other repositories, enabling cross-repo access control issues. Related OSV entry GO-2026-4363 co...
CVE-2026-20897 Gitea Git LFS Lock Deletion Broken Access Control (Cross-Repo IDOR)
Gitea does not properly validate repository ownership when deleting Git LFS locks. A user with write access to one repository may be able to delete LFS locks belonging to other repositories...