External risk intelligence

Gitea OAuth2 Authorization Code Handling Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.1)

CVE-2026-26232

Gitea is commonly deployed as a self-hosted, internet-facing code hosting platform and web application. OAuth2 token exchange endpoints are typical components of these web services, making them reachable via the internet in many standard deployments.

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This advisory concerns a security vulnerability in Gitea that could allow unauthorized access to user accounts and sensitive data if not properly addressed. The issue relates to how the system handles authentication codes, potentially enabling attackers to bypass security controls during the process of exchanging these codes for access tokens. The main concern is confirming relevance and exposure.

  • Authentication codes can be misused.
  • Protects against unauthorized access to accounts.
  • Confirm relevance and exposure immediately.

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker could potentially abuse a flaw in how Gitea handles OAuth2 token exchanges. By sending specially crafted requests, an attacker might be able to reuse or extend the validity of authorization codes, leading to unauthorized access. This vulnerability, if exploited, could allow an attacker to impersonate legitimate users and gain access to their repositories and sensitive information.

  • Unauthenticated network access required.
  • Reusing or extending authorization codes.
  • Unauthorized access to repositories.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could impact systems using Gitea by allowing unauthorized access to user accounts through improperly handled OAuth2 tokens. When supported by the advisory, an attacker could potentially exploit the inconsistent enforcement of authorization code expiry and single-use behavior during token exchange to gain access to sensitive information or perform actions on behalf of legitimate users.

  • User account access and sensitive data.
  • Exploits inconsistent OAuth2 token handling.
  • Unauthorized actions and potential data exposure.

Operational Fix

Recommended remediation, mitigation, and detection steps

This critical vulnerability in Gitea's OAuth2 implementation requires immediate attention from the platform or application owners responsible for managing the Gitea instances. The first practical step is to identify all deployed Gitea instances, determine their exposure to the internet, and confirm their business criticality. Once identified, the accountable owner should be contacted to plan remediation, prioritizing instances that are externally accessible or critical to business operations.

  • Platform/Application Owners
  • Verify external reachability and criticality.
  • Plan targeted remediation or mitigating controls.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is Gitea?

Gitea is a popular, lightweight, self-hosted software platform used for hosting code repositories and managing software development projects. It provides integrated tools similar to other version control platforms, helping teams collaborate on code by storing files, tracking changes, and managing user access through web-based interfaces.

What does CWE-294 mean for CVE-2026-26232?

This vulnerability falls under CWE-294, which refers to an Authentication Bypass by Capture-replay. In this context, it means the software fails to correctly ensure that an OAuth2 authorization code is used only once or within its intended timeframe. Because the system does not properly enforce these rules during the token exchange process, an attacker could potentially reuse a code to obtain unauthorized access.

How does an attacker trigger this vulnerability?

An attacker triggers this issue by submitting a specifically crafted request during the OAuth2 token exchange phase. If the Gitea instance does not properly validate that the authorization code has expired or was already used, the server may mistakenly grant an access token. This issue does not occur when the authorization code is correctly handled, validated, and invalidated by the server immediately after its initial use.

Why should I care if my Gitea instance is internet-facing?

According to Halo Surface Signal, Gitea is frequently deployed as an internet-facing service, which significantly increases the risk for this vulnerability. Because the flaw can be triggered remotely without prior authentication, instances reachable from the open internet are much easier for an unauthorized party to target compared to those restricted to internal networks.

How do I start addressing this vulnerability?

Your first step is to perform an inventory of all Gitea instances running in your environment to identify which versions are in use. Prioritize checking any instances that are exposed to the internet or host sensitive code. Once identified, confirm the specific version running on those servers and coordinate with your team to plan for updates to version 1.25.5 or later, which resolves this issue.

References