Incomplete SSRF Protection in Gitea by Gitea
CVE-2026-22874

9.6CRITICAL

Key Information:

Vendor

Gitea

Vendor
CVE Published:
3 July 2026

What is CVE-2026-22874?

Gitea versions up to and including 1.26.2 exhibit incomplete server-side request forgery (SSRF) protection in their webhook and migration allow-list filtering mechanisms. This vulnerability can potentially allow attackers to exploit the SSRF weakness, leading to unauthorized access or data leakage. Users are recommended to upgrade to Gitea version 1.26.3 or later, where this issue has been addressed with enhanced security measures.

Affected Version(s)

Gitea Open Source Git Server 0 <= 1.26.2

References

CVSS V3.1

Score:
9.6
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

JLLeitschuh
.