CVE-2026-22874 in Giteainfo

Summary

by MITRE • 07/04/2026

Gitea versions up to and including 1.26.2 have incomplete SSRF protection in webhook and migration allow-list filtering.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 07/04/2026

The vulnerability in Gitea versions up to and including 1.26.2 represents a critical server-side request forgery weakness that undermines the security controls designed to protect against unauthorized external resource access. This flaw specifically affects the webhook and migration functionality where the application attempts to validate and filter allowed external domains or IP addresses through allow-list mechanisms. The incomplete protection means that attackers can bypass these security controls to make unauthorized requests to internal systems or external malicious endpoints that should otherwise be blocked by the filtering logic.

The technical implementation of this vulnerability stems from insufficient validation of the allow-list filtering mechanism used during webhook configuration and repository migration operations. When users configure webhooks or perform repository migrations, Gitea validates against a predefined list of acceptable domains or IP addresses to prevent access to potentially harmful resources. However, the flawed implementation allows attackers to craft malicious inputs that can circumvent these restrictions through various techniques such as domain name manipulation, IP address obfuscation, or bypassing validation checks through encoding or alternative representations of the target URLs.

This vulnerability creates significant operational risks for organizations using affected Gitea versions, as it enables attackers to potentially access internal network resources that should remain protected from external access. The impact extends beyond simple information disclosure, as successful exploitation could allow adversaries to perform reconnaissance on internal systems, exfiltrate sensitive data through data leakage channels, or even establish persistence mechanisms by accessing internal services such as databases or management interfaces. Additionally, the vulnerability could be leveraged in combination with other attack vectors to create more sophisticated exploitation scenarios.

The security implications of this flaw align with CWE-918, which specifically addresses server-side request forgery vulnerabilities where applications fail to properly validate and sanitize external resource requests. From an adversarial perspective, this vulnerability maps to multiple ATT&CK techniques including T1071.004 for application layer protocol and T1566 for phishing with social engineering components that could be used to manipulate users into configuring malicious webhook endpoints. Organizations should prioritize immediate remediation by upgrading to Gitea version 1.26.3 or later, which contains the necessary patches to address the allow-list filtering implementation. Additionally, network segmentation controls and monitoring of webhook activity should be implemented as additional defensive measures while awaiting the upgrade process.

The vulnerability demonstrates a classic example of incomplete input validation where security controls are bypassed through insufficient sanitization of user-provided inputs. The patch for this issue typically involves strengthening the URL parsing and validation logic within the allow-list mechanism to properly handle edge cases, validate all components of the target URLs, and ensure that the filtering process accounts for various encoding schemes and alternative representations that could be used to evade detection. Security teams should also conduct thorough testing of their webhook configurations and migration processes to identify any existing malicious entries that may have been previously accepted due to this vulnerability.

Responsible

Gitea

Reservation

03/03/2026

Disclosure

07/04/2026

Moderation

accepted

CPE

ready

EPSS

0.00464

KEV

no

Activities

low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!