Incomplete SSRF Protection in Gitea by Gitea
CVE-2026-22874
9.6CRITICAL
What is CVE-2026-22874?
Gitea versions up to and including 1.26.2 exhibit incomplete server-side request forgery (SSRF) protection in their webhook and migration allow-list filtering mechanisms. This vulnerability can potentially allow attackers to exploit the SSRF weakness, leading to unauthorized access or data leakage. Users are recommended to upgrade to Gitea version 1.26.3 or later, where this issue has been addressed with enhanced security measures.
Affected Version(s)
Gitea Open Source Git Server 0 <= 1.26.2
