CVE-2026-28740
HIGH
7.1
CVSS 3.1
Description
Gitea versions up to and including 1.26.2 allow Git LFS object reuse to authorize private source objects for users who have repository access but lack Code-unit access.
Metadata
Severity & Metrics
7.1
HIGH CVSS 3.1
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N
Affected products (1)
| Vendor | Product | Platform | Versions |
|---|---|---|---|
| Gitea | Gitea Open Source Git Server | — | 0 ≤ 1.26.2 |
CVSS scores (1)
| Score | Severity | Version | Source | Vector |
|---|---|---|---|---|
| 7.1 | HIGH | 3.1 | cna | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N |
References (4)
- GitHub Security Advisory https://github.com/go-gitea/gitea/security/advisories/GHSA-2m9v-5q2g-58vq
- GitHub Pull Request #38050 https://github.com/go-gitea/gitea/pull/38050
- Gitea v1.26.3 Release https://github.com/go-gitea/gitea/releases/tag/v1.26.3
- Gitea v1.26.4 Release Blog Post https://blog.gitea.com/release-of-1.26.3-and-1.26.4/