Back to overview

CVE-2026-26292

Description
Gitea versions before 1.25.5 do not use the migration HTTP transport for LFS push and sync mirror operations, bypassing the configured migration transport protections for those LFS requests.

Metadata

CVE ID
CVE-2026-26292
State
PUBLISHED
Assigner
Gitea
Reserved
2026-02-22 15:13 UTC
Published
2026-07-03 20:19 UTC
Last updated
2026-07-03 20:19 UTC
Primary CWE
CWE-284
CWE-284
Vendor / Product
Gitea / Gitea Open Source Git Server
Sources
cve.org  ·  NVD

Severity & Metrics

No CVSS data available.

Affected products (1)
VendorProductPlatformVersions
Gitea Gitea Open Source Git Server 0 < 1.25.5
Weakness (CWE)
CWESourceDescription
CWE-284 cna CWE-284
References (4)
Back to overview