OAuth2 Authorization Vulnerability in Gitea by Gitea Team
CVE-2026-26247

Currently unrated

Key Information:

Vendor

Gitea

Vendor
CVE Published:
3 July 2026

What is CVE-2026-26247?

Versions of Gitea prior to 1.25.5 contain a vulnerability where the OAuth2 PKCE S256 challenge method is not properly persisted during the authorization process. This oversight allows for the potential of a token exchange to occur without the necessary verification checks being enforced. As a result, malicious actors may exploit this weakness to bypass security measures, potentially leading to unauthorized access to sensitive resources.

Affected Version(s)

Gitea Open Source Git Server 0 < 1.25.5

References

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Aisle Research
.