CVE-2026-20779 in Gitea
Summary
by MITRE • 07/04/2026
Gitea versions from 1.5.0 before 1.26.3 have a TOTP single-use enforcement defect that allows a valid TOTP code to be accepted more than once across web two-factor authentication flows and the Basic Auth X-Gitea-OTP path.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 07/04/2026
This vulnerability affects Gitea versions ranging from 1.5.0 through 1.26.2 and represents a critical flaw in the time-based one-time password implementation that undermines the security of multi-factor authentication mechanisms. The defect lies in the improper enforcement of single-use validation for TOTP codes, creating a persistent security weakness that allows attackers to exploit valid authentication tokens multiple times during web-based two-factor authentication flows and basic authentication scenarios.
The technical implementation flaw stems from insufficient state management and validation logic within the authentication subsystem where the system fails to properly track and invalidate TOTP codes after their initial successful use. This vulnerability specifically impacts the X-Gitea-OTP header authentication path used in basic auth scenarios and the standard web-based two-factor authentication workflows that rely on time-based one-time passwords for additional security layers.
The operational impact of this vulnerability is significant as it fundamentally compromises the integrity of the two-factor authentication system. An attacker who captures a valid TOTP code through network sniffing, session hijacking, or other means can reuse that same code multiple times to authenticate without requiring a new time-based one-time password generation. This weakness essentially nullifies the security benefits of TOTP implementation by allowing credential replay attacks against authenticated sessions and basic authentication endpoints.
This vulnerability maps directly to CWE-310, which addresses cryptographic weaknesses specifically related to improper use of time-based one-time passwords and failure to properly validate authentication tokens. The flaw also aligns with ATT&CK technique T1566.002 for credential access through phishing and credential dumping attacks that exploit weak authentication mechanisms. Organizations using affected Gitea versions face increased risk of unauthorized access and potential privilege escalation when attackers can reuse valid TOTP codes across multiple authentication attempts.
The recommended mitigation involves immediate upgrade to Gitea version 1.26.3 or later where the single-use enforcement has been properly implemented and validated. Additionally, system administrators should monitor authentication logs for unusual patterns of repeated successful authentications using the same TOTP code values. Organizations should also consider implementing additional authentication monitoring controls that can detect and alert on suspicious reuse patterns of authentication tokens to provide defense-in-depth against this specific vulnerability.