Improper Handling of Migration Transport in Gitea by Gitea Team
CVE-2026-26292
Currently unrated
What is CVE-2026-26292?
Gitea, a popular self-hosted Git service, contains a vulnerability in its handling of Large File Storage (LFS) push and sync mirror operations. In versions prior to 1.25.5, the application fails to utilize the designated migration HTTP transport, which undermines the established migration transport protections. This oversight can expose users to potential data integrity issues during these operations, as the configured security measures for LFS requests are effectively bypassed.
Affected Version(s)
Gitea Open Source Git Server 0 < 1.25.5
