Impact
Gitea versions from 1.5.0 up to but not including 1.26.3 contain a defect in the two‑factor authentication logic that allows a valid TOTP code to be accepted multiple times. The flaw breaks the single‑use rule normally enforced for one‑time passwords, making a captured OTP reusable. The weakness is classified as Improper Authentication (CWE‑294) and could enable attackers to gain unauthorized access to user accounts and repository data.
Affected Systems
The vulnerability affects the open‑source Gitea Git server for all releases between 1.5.0 and, but not including, 1.26.3. Any environment deploying these versions without an update is at risk; the problem is present in both web‑based two‑factor login and Basic Auth via the X‑Gitea‑OTP header.
Risk and Exploitability
The CVSS score of 7.1 reflects high severity, and the EPSS score is below 1%, indicating a very low exploitation probability, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is replaying captured OTPs before expiration. Based on the description, it is inferred that an attacker could capture a valid OTP during a normal login or API request and replay it before expiration against the same or another account to obtain authenticated access. Because the flaw is present across all affected releases, a successful exploitation could grant an attacker read or write access to any repository or branch depending on the targeted account.
OpenCVE Enrichment