Description
Gitea versions before 1.25.5 lack validation constraints for repository creation fields, including length-limited template fields and trust model or object format values.
Published: 2026-07-03
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability exists in Gitea Open Source Git Server versions older than 1.25.5. When users create a repository, the system does not enforce length or format constraints on fields such as template descriptors, trust model tags, or object format identifiers. Malformed or excessively long values supplied by an attacker can trigger application errors, consume excessive resources, or result in improper trust assignments. The weakness is categorized as CWE‑20, improper input validation.

Affected Systems

All Gitea installations running a version prior to 1.25.5 are affected. The issue was addressed in release 1.25.5, which adds validation checks for the relevant fields; versions 1.25.5 and later are not vulnerable.

Risk and Exploitability

The repository creation endpoint requires authentication, so exploitation requires access to an account with repository creation privileges. No public exploit has been reported and the vulnerability is not listed in CISA’s KEV catalog. The EPSS score is below 1%, indicating a low probability of widespread exploitation, although the lack of validation could still cause denial of service or misconfigured trust settings if an attacker can reach the endpoint.

Generated by OpenCVE AI on July 6, 2026 at 00:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official Gitea 1.25.5 release or a later version that includes the input validation fix.
  • If a patch cannot be applied immediately, restrict public access to repository creation endpoints, allowing only authenticated administrators to create repositories.
  • Audit any automation or scripts that create repositories to enforce maximum length limits and valid values for template descriptors, trust model tags, and object format identifiers.

Generated by OpenCVE AI on July 6, 2026 at 00:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 03 Jul 2026 20:45:00 +0000

Type Values Removed Values Added
Description Gitea versions before 1.25.5 lack validation constraints for repository creation fields, including length-limited template fields and trust model or object format values.
Title Gitea repository creation accepts invalid field values
Weaknesses CWE-20
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Gitea

Published:

Updated: 2026-07-03T20:19:30.291Z

Reserved: 2026-02-22T15:13:33.653Z

Link: CVE-2026-22547

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-06T01:00:05Z

Weaknesses
  • CWE-20

    Improper Input Validation