CVE-2026-58426 in Gitea
Summary
by MITRE • 07/04/2026
Gitea Actions Artifacts V4 signed URL HMAC ambiguity allows cross-repository artifact read and cross-task upload-state write
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 07/04/2026
The vulnerability in Gitea Actions Artifacts V4 involves a critical security flaw in the handling of signed URLs for artifact management that enables unauthorized cross-repository access and manipulation. This issue stems from an ambiguous implementation of HMAC (Hash-based Message Authentication Code) verification mechanisms within the artifact storage system, creating opportunities for attackers to exploit the signed URL generation process.
The technical flaw manifests when Gitea generates signed URLs for accessing or uploading artifacts within repository actions workflows. The HMAC signature calculation does not properly validate the repository context or task scope associated with each signed URL, allowing an attacker who gains access to a valid signed URL to potentially access artifacts from other repositories or manipulate upload states across different tasks. This ambiguity in the HMAC verification process creates a path for privilege escalation through artifact manipulation.
The operational impact of this vulnerability extends beyond simple data exposure, as it enables attackers to perform cross-repository artifact reads that could expose sensitive information, build artifacts, or configuration files from other projects. Additionally, the cross-task upload-state write capability allows malicious actors to manipulate the state of different task executions within the same repository or even across repositories, potentially disrupting continuous integration pipelines, injecting malicious artifacts, or causing false positives in automated security scanning systems.
This vulnerability directly relates to CWE-287 (Improper Authentication) and CWE-345 (Insufficient Verification of Data Authenticity) while mapping to ATT&CK technique T1078 (Valid Accounts) and T1566 (Phishing) through potential exploitation paths involving compromised credentials or manipulated signed URLs. The ambiguity in HMAC verification creates a vector for attackers to bypass normal access controls that should restrict artifact access to specific repositories and tasks.
Mitigation strategies must focus on strengthening the HMAC verification process by implementing proper repository context validation, task scope enforcement, and ensuring that signed URL generation includes comprehensive authentication parameters that bind each URL to its intended repository and task execution. Organizations should implement strict URL expiration policies, enforce unique signing keys per repository, and establish robust audit trails for artifact access and modification events. Regular security scanning of Gitea installations should include verification of signed URL handling mechanisms, and administrators should consider implementing additional access controls such as IP whitelisting or multi-factor authentication for critical repository operations.