Description
A security flaw has been discovered in GitBucket up to 4.46.1. This affects the function Git.cloneRepository.setURI of the file src/main/scala/gitbucket/core/service/RepositoryCreationService.scala. Performing a manipulation of the argument url results in server-side request forgery. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks. The patch is named 487a9b980f56aa73b6a044b1e86a92eed5043215. To fix this issue, it is recommended to deploy a patch.
Published: 2026-06-29
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A vulnerability in GitBucket versions up to 4.46.1 allows an attacker to manipulate the URL passed to Git.cloneRepository.setURI, enabling server‑side request forgery. Through SSRF the attacker can cause the GitBucket server to perform arbitrary outbound HTTP requests, potentially accessing internal systems, exfiltrating data, or supporting further attacks. The flaw is a classic CWE‑918 issue. Remediation is to apply the patch identified by commit 487a9b980f56aa73b6a044b1e86a92eed5043215 or upgrade to a fixed version.

Affected Systems

GitBucket, a web‑based Git repository management platform, is affected in all releases up to and including 4.46.1. Any instance running 4.46.1 or earlier is vulnerable. The vendor entry is simply GitBucket.

Risk and Exploitability

The CVSS base score is 5.3, indicating a moderate severity. The EPSS score is not available, so current exploitation probability is unclear. The vulnerability is publicly known and an exploit is available, and it can be invoked remotely by supplying a crafted repository URL. No entry in the CISA KEV catalog. Given the SSRF nature, an attacker can make the server contact internal hosts or external services, which may enable data leaks or pivot attacks. The risk is therefore moderate but could become severe if the server has unrestricted outbound network access.

Generated by OpenCVE AI on June 29, 2026 at 08:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the patch associated with commit 487a9b980f56aa73b6a044b1e86a92eed5043215 or upgrade to a GitBucket release newer than 4.46.1, which contains the fix.
  • While the patch is pending, tighten outbound network controls by restricting the GitBucket process to only allow connections to known, trusted hosts or by applying firewall rules that block unspecified HTTP or HTTPS connections.
  • Validate any repository URL inputs by enforcing a whitelist of allowed protocols (e.g., only http, https, or git) and restricting localhost or private IP ranges to protect against SSRF if a patch is not currently available.

Generated by OpenCVE AI on June 29, 2026 at 08:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 29 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 29 Jun 2026 07:00:00 +0000

Type Values Removed Values Added
Description A security flaw has been discovered in GitBucket up to 4.46.1. This affects the function Git.cloneRepository.setURI of the file src/main/scala/gitbucket/core/service/RepositoryCreationService.scala. Performing a manipulation of the argument url results in server-side request forgery. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks. The patch is named 487a9b980f56aa73b6a044b1e86a92eed5043215. To fix this issue, it is recommended to deploy a patch.
Title GitBucket RepositoryCreationService.scala Git.cloneRepository.setURI server-side request forgery
First Time appeared Gitbucket
Gitbucket gitbucket
Weaknesses CWE-918
CPEs cpe:2.3:a:gitbucket:gitbucket:*:*:*:*:*:*:*:*
Vendors & Products Gitbucket
Gitbucket gitbucket
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Gitbucket Gitbucket
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-29T13:36:26.597Z

Reserved: 2026-06-28T10:05:58.381Z

Link: CVE-2026-13540

cve-icon Vulnrichment

Updated: 2026-06-29T13:36:11.180Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-29T11:00:05Z

Weaknesses
  • CWE-918

    Server-Side Request Forgery (SSRF)