Improper Handling of Migration Transport in Gitea by Gitea Team
CVE-2026-26292

Currently unrated

Key Information:

Vendor

Gitea

Vendor
CVE Published:
3 July 2026

What is CVE-2026-26292?

Gitea, a popular self-hosted Git service, contains a vulnerability in its handling of Large File Storage (LFS) push and sync mirror operations. In versions prior to 1.25.5, the application fails to utilize the designated migration HTTP transport, which undermines the established migration transport protections. This oversight can expose users to potential data integrity issues during these operations, as the configured security measures for LFS requests are effectively bypassed.

Affected Version(s)

Gitea Open Source Git Server 0 < 1.25.5

References

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

allsmog
.