CVE-2026-20779 in Giteainfo

Summary

by MITRE • 07/04/2026

Gitea versions from 1.5.0 before 1.26.3 have a TOTP single-use enforcement defect that allows a valid TOTP code to be accepted more than once across web two-factor authentication flows and the Basic Auth X-Gitea-OTP path.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 07/04/2026

This vulnerability affects Gitea versions ranging from 1.5.0 through 1.26.2 and represents a critical flaw in the time-based one-time password implementation that undermines the security of multi-factor authentication mechanisms. The defect lies in the improper enforcement of single-use validation for TOTP codes, creating a persistent security weakness that allows attackers to exploit valid authentication tokens multiple times during web-based two-factor authentication flows and basic authentication scenarios.

The technical implementation flaw stems from insufficient state management and validation logic within the authentication subsystem where the system fails to properly track and invalidate TOTP codes after their initial successful use. This vulnerability specifically impacts the X-Gitea-OTP header authentication path used in basic auth scenarios and the standard web-based two-factor authentication workflows that rely on time-based one-time passwords for additional security layers.

The operational impact of this vulnerability is significant as it fundamentally compromises the integrity of the two-factor authentication system. An attacker who captures a valid TOTP code through network sniffing, session hijacking, or other means can reuse that same code multiple times to authenticate without requiring a new time-based one-time password generation. This weakness essentially nullifies the security benefits of TOTP implementation by allowing credential replay attacks against authenticated sessions and basic authentication endpoints.

This vulnerability maps directly to CWE-310, which addresses cryptographic weaknesses specifically related to improper use of time-based one-time passwords and failure to properly validate authentication tokens. The flaw also aligns with ATT&CK technique T1566.002 for credential access through phishing and credential dumping attacks that exploit weak authentication mechanisms. Organizations using affected Gitea versions face increased risk of unauthorized access and potential privilege escalation when attackers can reuse valid TOTP codes across multiple authentication attempts.

The recommended mitigation involves immediate upgrade to Gitea version 1.26.3 or later where the single-use enforcement has been properly implemented and validated. Additionally, system administrators should monitor authentication logs for unusual patterns of repeated successful authentications using the same TOTP code values. Organizations should also consider implementing additional authentication monitoring controls that can detect and alert on suspicious reuse patterns of authentication tokens to provide defense-in-depth against this specific vulnerability.

Responsible

Gitea

Reservation

03/03/2026

Disclosure

07/04/2026

Moderation

accepted

CPE

ready

EPSS

0.00481

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!