Home

Description

Gitea versions before 1.25.5 do not use the migration HTTP transport for LFS push and sync mirror operations, bypassing the configured migration transport protections for those LFS requests.

PUBLISHED Reserved 2026-02-22 | Published 2026-07-03 | Updated 2026-07-07 | Assigner Gitea

Problem types

CWE-284

Product status

Default status
unaffected

Any version before 1.25.5
affected

Credits

allsmog reporter

References

github.com/go-gitea/gitea/pull/36665 (GitHub Pull Request #36665) patch

github.com/go-gitea/gitea/pull/36691 (GitHub Pull Request #36691) patch

github.com/go-gitea/gitea/releases/tag/v1.25.5 (Gitea v1.25.5 Release) release-notes

blog.gitea.com/release-of-1.25.5/ (Gitea v1.25.5 Release Blog Post) release-notes

cve.org (CVE-2026-26292)

nvd.nist.gov (CVE-2026-26292)

Download JSON