CVE-2026-26232 in Gitea
Summary
by MITRE • 07/04/2026
Gitea versions before 1.25.5 do not consistently enforce OAuth2 authorization code expiry and single-use behavior during token exchange.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 07/04/2026
Gitea is a self-hosted Git service that provides web-based interface for repository management and collaboration features. The vulnerability affects versions prior to 1.25.5 where the OAuth2 implementation fails to properly enforce token expiration and single-use constraints during the authorization code exchange process. This weakness creates a potential security risk by allowing malicious actors to reuse valid authorization codes beyond their intended single-use window, effectively extending the validity period of tokens that should be ephemeral.
The technical flaw stems from improper validation of OAuth2 authorization codes within the token exchange flow. When an authorization code is generated and exchanged for an access token, the system should enforce that each code can only be used once and must expire after a predetermined time window typically measured in minutes. In affected Gitea versions, this enforcement mechanism is either absent or inconsistently applied, allowing attackers to capture valid authorization codes and reuse them for unauthorized access attempts.
This vulnerability directly impacts the security posture of organizations relying on Gitea for code repository management and CI/CD pipeline integration. Attackers could exploit this weakness to gain prolonged access to repositories, potentially leading to data exfiltration, code manipulation, or privilege escalation within the system. The operational impact extends beyond simple unauthorized access as it undermines the fundamental security model of OAuth2 authentication protocols that rely on time-bound tokens and single-use principles.
The vulnerability aligns with CWE-613 which addresses insufficient session expiration and CWE-306 which covers missing authentication checks. From an ATT&CK perspective, this weakness maps to T1566 for credential access through valid accounts and potentially T1078 for legitimate credential use. Organizations using Gitea should immediately upgrade to version 1.25.5 or later where the OAuth2 token handling has been corrected to properly enforce expiration timing and single-use constraints during authorization code exchange operations.
Mitigation strategies include immediate deployment of the patched Gitea version, thorough review of existing access tokens for potential compromise, implementation of monitoring for unauthorized token usage patterns, and verification of OAuth2 configuration settings. Security teams should also consider implementing additional authentication controls such as multi-factor authentication and regular audit logging of authorization code exchanges to detect anomalous behavior. The fix ensures that each authorization code is validated for freshness and consumed only once before being invalidated, restoring proper OAuth2 security guarantees within the platform.
Organizations should conduct comprehensive testing of their Gitea integrations after applying the patch to ensure no disruption to legitimate workflows while maintaining enhanced security posture. Regular security assessments should include verification of OAuth2 token behavior and enforcement mechanisms to prevent similar vulnerabilities from emerging in other authentication components. The patched version addresses both the immediate security concern and restores trust in the platform's authentication integrity for protecting sensitive source code repositories and development environments.