Description
Gitea versions from 1.5.0 before 1.26.3 have a TOTP single-use enforcement defect that allows a valid TOTP code to be accepted more than once across web two-factor authentication flows and the Basic Auth X-Gitea-OTP path.
Published: 2026-07-03
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Gitea versions from 1.5.0 up to but not including 1.26.3 contain a defect in the two‑factor authentication logic that allows a valid TOTP code to be accepted multiple times. The flaw breaks the single‑use rule normally enforced for one‑time passwords, making a captured OTP reusable. The weakness is classified as Improper Authentication (CWE‑294) and could enable attackers to gain unauthorized access to user accounts and repository data.

Affected Systems

The vulnerability affects the open‑source Gitea Git server for all releases between 1.5.0 and, but not including, 1.26.3. Any environment deploying these versions without an update is at risk; the problem is present in both web‑based two‑factor login and Basic Auth via the X‑Gitea‑OTP header.

Risk and Exploitability

The CVSS score of 7.1 reflects high severity, and the EPSS score is below 1%, indicating a very low exploitation probability, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is replaying captured OTPs before expiration. Based on the description, it is inferred that an attacker could capture a valid OTP during a normal login or API request and replay it before expiration against the same or another account to obtain authenticated access. Because the flaw is present across all affected releases, a successful exploitation could grant an attacker read or write access to any repository or branch depending on the targeted account.

Generated by OpenCVE AI on July 5, 2026 at 00:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Gitea to version 1.26.3 or later to fix the TOTP replay defect
  • Restrict the validity period of generated TOTPs and enforce per‑session usage to narrow the window for replay
  • Enable comprehensive authentication audit logging and regularly review logs for anomalous OTP reuse

Generated by OpenCVE AI on July 5, 2026 at 00:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 03 Jul 2026 20:45:00 +0000

Type Values Removed Values Added
Description Gitea versions from 1.5.0 before 1.26.3 have a TOTP single-use enforcement defect that allows a valid TOTP code to be accepted more than once across web two-factor authentication flows and the Basic Auth X-Gitea-OTP path.
Title Gitea TOTP single-use enforcement defect allows OTP replay
Weaknesses CWE-294
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Gitea

Published:

Updated: 2026-07-03T20:19:29.239Z

Reserved: 2026-03-03T03:26:00.104Z

Link: CVE-2026-20779

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-05T00:45:04Z

Weaknesses
  • CWE-294

    Authentication Bypass by Capture-replay