Description
Gitea versions up to and including 1.26.2 have incomplete SSRF protection in webhook and migration allow-list filtering.
Published: 2026-07-03
Score: 9.6 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A vulnerability exists in Gitea web servers up to version 1.26.2 that allows an attacker to perform server‑side request forgery (SSRF) by sending crafted webhook or migration requests. This flaw, classified as CWE‑918, stems from insufficient filtering of allowed URLs, permitting the application to resolve and request arbitrary external addresses on behalf of the host. This can lead to disclosure of internal network resources, denial of service, or further lateral movement if the requester can access privileged services.

Affected Systems

The issue affects installations of Gitea Open Source Git Server through version 1.26.2. Any deployment using Git, webhook, or migration features remains vulnerable until a fix is applied. Products labeled as Gitea Gitea Open Source Git Server in CNA records are included.

Risk and Exploitability

The CVSS score of 9.6 indicates a critical severity. The EPSS score of less than 1% indicates a very low exploitation probability, but the lack of listing in the CISA KEV catalog does not reduce the need for remediation. Based on the description, the likely attack vector is via publicly reachable webhook endpoints or migration APIs. Attackers could exploit the SSRF by sending crafted requests to these interfaces, especially if the application is exposed to the internet, allowing the host to reach any network address. Immediate patching is the recommended course of action.

Generated by OpenCVE AI on July 6, 2026 at 09:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Gitea 1.26.3 or later, which contains the corrected allow‑list filtering for webhook and migration URLs.
  • If an upgrade cannot be performed immediately, restrict external access to the webhook and migration endpoints or limit them to trusted IP ranges until the patch is applied.
  • Review and tighten webhook configurations so that only trusted URLs are whitelisted; consider disabling the migration API if it is not required.

Generated by OpenCVE AI on July 6, 2026 at 09:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 03 Jul 2026 20:45:00 +0000

Type Values Removed Values Added
Description Gitea versions up to and including 1.26.2 have incomplete SSRF protection in webhook and migration allow-list filtering.
Title Gitea webhook and migration allow-list filtering permits SSRF
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Gitea

Published:

Updated: 2026-07-03T20:19:31.006Z

Reserved: 2026-03-03T03:25:59.971Z

Link: CVE-2026-22874

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-06T01:00:05Z

Weaknesses
  • CWE-918

    Server-Side Request Forgery (SSRF)