CVE-2026-22547 in Giteainfo

Summary

by MITRE • 07/04/2026

Gitea versions before 1.25.5 lack validation constraints for repository creation fields, including length-limited template fields and trust model or object format values.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 07/04/2026

The vulnerability in Gitea versions prior to 1.25.5 represents a critical input validation weakness that undermines the integrity of repository creation processes within the platform. This issue stems from insufficient sanitization of user-supplied data during repository initialization, particularly affecting template fields and trust model configurations. The absence of proper validation constraints creates opportunities for malicious actors to exploit these gaps and potentially compromise system security through crafted inputs.

The technical flaw manifests in the lack of proper length restrictions and value validation for repository creation parameters. Attackers can manipulate template fields to exceed expected character limits or provide invalid trust model values that may cause unexpected behavior in the underlying system processing. This vulnerability falls under the category of insufficient input validation as defined by CWE-20, which specifically addresses weaknesses related to inadequate sanitization of input data. The flaw allows for potential injection attacks and could enable unauthorized modifications to repository configurations that affect system stability and security posture.

The operational impact of this vulnerability extends beyond simple data corruption scenarios. When attackers exploit these validation gaps, they may be able to manipulate repository settings in ways that compromise access controls, alter object formats, or disrupt normal repository operations. The trust model configuration fields are particularly sensitive as they determine how repository permissions and access rights are enforced within the system. This weakness could enable privilege escalation or unauthorized modification of repository attributes that should remain protected from user manipulation.

Mitigation strategies for this vulnerability require immediate implementation of comprehensive input validation across all repository creation parameters. Organizations should upgrade to Gitea version 1.25.5 or later where these validation constraints have been properly implemented. Additional protective measures include implementing strict length limitations for template fields, validating all trust model values against predefined acceptable ranges, and establishing robust sanitization processes for user-supplied data. The remediation approach aligns with ATT&CK technique T1078 which addresses legitimate credentials and privilege escalation through system configuration manipulation. System administrators should also consider implementing monitoring solutions to detect anomalous repository creation patterns that might indicate exploitation attempts, while ensuring that all repository creation workflows adhere to principle of least privilege and proper access controls.

Responsible

Gitea

Reservation

02/22/2026

Disclosure

07/04/2026

Moderation

accepted

CPE

ready

EPSS

0.00168

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!