Impact
A vulnerability exists in Gitea web servers up to version 1.26.2 that allows an attacker to perform server‑side request forgery (SSRF) by sending crafted webhook or migration requests. This flaw, classified as CWE‑918, stems from insufficient filtering of allowed URLs, permitting the application to resolve and request arbitrary external addresses on behalf of the host. This can lead to disclosure of internal network resources, denial of service, or further lateral movement if the requester can access privileged services.
Affected Systems
The issue affects installations of Gitea Open Source Git Server through version 1.26.2. Any deployment using Git, webhook, or migration features remains vulnerable until a fix is applied. Products labeled as Gitea Gitea Open Source Git Server in CNA records are included.
Risk and Exploitability
The CVSS score of 9.6 indicates a critical severity. The EPSS score of less than 1% indicates a very low exploitation probability, but the lack of listing in the CISA KEV catalog does not reduce the need for remediation. Based on the description, the likely attack vector is via publicly reachable webhook endpoints or migration APIs. Attackers could exploit the SSRF by sending crafted requests to these interfaces, especially if the application is exposed to the internet, allowing the host to reach any network address. Immediate patching is the recommended course of action.
OpenCVE Enrichment