CVE-2026-26292

critical

Description

Gitea versions before 1.25.5 do not use the migration HTTP transport for LFS push and sync mirror operations, bypassing the configured migration transport protections for those LFS requests.

References

https://github.com/go-gitea/gitea/releases/tag/v1.25.5

https://github.com/go-gitea/gitea/pull/36691

https://github.com/go-gitea/gitea/pull/36665

https://blog.gitea.com/release-of-1.25.5/

Details

Source: Mitre, NVD

Published: 2026-07-03

Updated: 2026-07-03

Risk Information

CVSS v2

Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Severity: High

CVSS v3

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity: Critical