CVE-2026-26292
Description
Gitea versions before 1.25.5 do not use the migration HTTP transport for LFS push and sync mirror operations, bypassing the configured migration transport protections for those LFS requests.
Metadata
Severity & Metrics
No CVSS data available.
Affected products (1)
| Vendor | Product | Platform | Versions |
|---|---|---|---|
| Gitea | Gitea Open Source Git Server | — | 0 < 1.25.5 |
Weakness (CWE)
| CWE | Source | Description |
|---|---|---|
| CWE-284 | cna | CWE-284 |
References (4)
- GitHub Pull Request #36665 https://github.com/go-gitea/gitea/pull/36665
- GitHub Pull Request #36691 https://github.com/go-gitea/gitea/pull/36691
- Gitea v1.25.5 Release https://github.com/go-gitea/gitea/releases/tag/v1.25.5
- Gitea v1.25.5 Release Blog Post https://blog.gitea.com/release-of-1.25.5/