CVE-2026-28740 in Giteainfo

Summary

by MITRE • 07/04/2026

Gitea versions up to and including 1.26.2 allow Git LFS object reuse to authorize private source objects for users who have repository access but lack Code-unit access.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 07/04/2026

This vulnerability exists within Gitea version 1.26.2 and earlier systems where Git LFS object reuse mechanisms fail to properly enforce authorization checks for private source objects. The flaw stems from insufficient validation of user permissions when processing LFS object requests, allowing authenticated users with repository access but without code-unit access privileges to potentially gain unauthorized access to private LFS objects through object reuse patterns. The technical implementation does not adequately verify that requesting users possess the necessary permissions to access specific LFS objects, creating a privilege escalation vector.

The vulnerability operates by exploiting the Git LFS protocol's object reuse functionality where previously uploaded LFS objects can be referenced and accessed by users who have repository-level permissions but not code-unit level access. This creates a scenario where legitimate users can bypass traditional access controls and retrieve private binary files that should only be accessible to users with explicit code-unit permissions. The flaw specifically affects systems using Git LFS for large file storage management and occurs when the system fails to validate object ownership or access permissions during reuse operations.

The operational impact of this vulnerability extends beyond simple unauthorized data access, as it represents a critical authorization bypass that could lead to exposure of sensitive source code components, proprietary binaries, or other confidential repository assets. Attackers could leverage this weakness to extract private LFS objects containing intellectual property, configuration files, or other sensitive materials that should remain restricted to authorized personnel with proper code-unit access rights. The vulnerability affects organizations using Gitea for version control and LFS management, particularly those with strict access control policies.

Mitigation strategies should focus on implementing proper authorization checks for all LFS object requests regardless of whether objects are being newly uploaded or reused. Organizations should update to Gitea versions that address this specific authorization bypass issue, typically through patches that enforce stricter permission validation during LFS operations. Security teams should also consider implementing additional monitoring for unusual LFS access patterns and ensure proper least-privilege access controls are enforced for repository users. This vulnerability aligns with CWE-285 which addresses improper authorization in software systems, and could be categorized under ATT&CK technique T1078 for valid accounts and privilege escalation through unauthorized access to restricted resources.

The root cause of this issue demonstrates a failure in the principle of least privilege enforcement within Git LFS operations, where object reuse logic does not properly validate user permissions against specific LFS objects. This represents a common security pattern where systems assume that repository-level access should automatically grant access to all associated LFS objects without proper granular permission checks. Organizations should implement comprehensive testing procedures for LFS access controls and consider the broader implications of object reuse mechanisms in their source control environments, particularly when dealing with sensitive binary content that requires different access controls than regular repository files.

Responsible

Gitea

Reservation

03/03/2026

Disclosure

07/04/2026

Moderation

accepted

CPE

ready

EPSS

0.00323

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!