External risk intelligence

Gitea Incomplete SSRF Protection in Webhook and Migration Filters

CVE advisorySeverity: CRITICAL (CVSS 9.6)

CVE-2026-22874

Gitea is a source code hosting platform frequently deployed as an internet-facing web application. Webhooks and repository migration features are core functional components that are typically reachable in these web-based deployments, making the vulnerable surface commonly exposed to the internet.

Server-Side Request Forgery

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This advisory concerns a vulnerability in Gitea, a self-hosted Git service. An issue with how the system handles webhooks and migration requests could allow unauthorized access to internal network resources if not properly secured. The main concern is confirming whether your organization uses this technology and if it is exposed to the internet.

  • It's a potential gateway for unauthorized access.
  • Protects against breaches of internal systems.
  • Verify use and internet exposure.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this by leveraging Gitea's webhook or repository migration features to bypass security checks. This could allow them to trick the system into making requests to arbitrary internal or external network resources that should not be accessible. The vulnerability exists due to insufficient validation in these features.

  • Requires authenticated access.
  • Triggered by manipulating webhook or migration features.
  • Allows unauthorized network access.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an attacker to send requests to internal network resources or external sites when webhooks or migration features are in use. This could affect system data and service behavior by exposing information about the internal network or triggering unintended actions on other systems. There is no indication of direct impact to PII.

  • Internal network information or external services.
  • Via webhook or migration features.
  • Unintended system actions or data exposure.

Operational Fix

Recommended remediation, mitigation, and detection steps

The affected technology, Gitea, is likely managed by application owners or platform teams responsible for code hosting services. The first practical step is to inventory all Gitea instances, verify their exposure and criticality, identify the accountable owner for each instance, and then prioritize remediation based on assessed risk.

  • Application owners should own the issue.
  • Verify instance exposure and criticality.
  • Plan remediation based on risk.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is Gitea?

Gitea is a popular, lightweight, self-hosted software platform used for hosting Git repositories. Developers and teams use it to manage source code, track issues, and automate workflows through features like webhooks and repository migrations, which allow the system to communicate with other network services.

What does CVE-2026-22874 mean by incomplete SSRF protection?

This vulnerability, classified as CWE-918 (Server-Side Request Forgery), means Gitea's allow-list filters fail to sufficiently validate destination addresses. Because the system does not fully restrict these requests, an attacker can trick the application into acting as a proxy to send requests to internal resources or external sites that should remain private.

How is this vulnerability triggered?

The flaw is triggered by manipulating Gitea's webhook or repository migration features. Because these features require authenticated access to the Gitea instance, they cannot be triggered by unauthenticated users. Simply viewing a repository or using basic code hosting features without interacting with these specific request-based tools does not trigger the bug.

Is my Gitea instance at risk?

Halo Surface Signal indicates that Gitea is frequently deployed as an internet-facing service, which significantly increases the risk if your instance is reachable from the web. Organizations running Gitea on a public-facing network are more likely to have these core webhook and migration features exposed, making them a higher priority for review.

What should I do to secure my Gitea instance?

First, create an inventory of all Gitea instances within your organization to identify which are exposed to the internet. Verify the specific version in use, as the vulnerability affects versions up to 1.26.2. Once identified, application owners should prioritize these instances for updates and apply the latest security patches provided by the vendor.

References