Gitea Git LFS Authorization Flaw in Version 1.26.2
CVE-2026-28740

7.1HIGH

Key Information:

Vendor

Gitea

Vendor
CVE Published:
3 July 2026

What is CVE-2026-28740?

Gitea, an open-source self-hosted Git service, has a vulnerability that allows Git LFS (Large File Storage) objects to be reused, which can inadvertently give users access to private source objects within repositories despite lacking proper Code-unit access. This misconfiguration poses a security risk by enabling unauthorized access to sensitive data, necessitating prompt patching to safeguard repository integrity.

Affected Version(s)

Gitea Open Source Git Server 0 <= 1.26.2

References

CVSS V3.1

Score:
7.1
Severity:
HIGH
Confidentiality:
High
Integrity:
Low
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

m2hcz
.