External risk intelligence

Gitea OAuth Sign-in Callback Improper Authorization Re-enables Disabled Administrator Accounts.

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-58422

The vulnerability affects OAuth sign-in callbacks in Gitea, a platform frequently deployed as a public-facing web service or code hosting portal. Because OAuth authentication endpoints are inherently designed to be accessible to users over the internet, this surface is public-facing by design.

Halo Surface Signal: 5 out of 5 — more likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This advisory concerns a critical vulnerability in Gitea's OAuth sign-in process. Improper handling of authorization during the sign-in callback can silently re-enable administrator-disabled accounts, potentially allowing unauthorized access to systems. This could expose sensitive data or allow malicious actors to regain control of previously disabled accounts.

  • Accounts can be re-enabled by attackers.
  • Protects against unauthorized access to Gitea.
  • Confirm Gitea relevance and assess exposure.

Attack Path

How an attacker could exploit the issue

An attacker could leverage this vulnerability by initiating an OAuth sign-in process. The improper authorization during the callback phase of this process can silently re-enable administrator-disabled accounts. This allows an attacker to potentially gain unauthorized access to previously disabled accounts.

  • No special access required.
  • Unprotected OAuth sign-in callback.
  • Re-enables disabled administrator accounts.

Live Threat

Current exploitation, exposure, and threat context

A vulnerability in how OAuth sign-in callbacks are handled could allow an attacker to silently re-enable administrator-disabled accounts. This may occur when an affected system processes an OAuth sign-in callback, potentially allowing unauthorized access to previously disabled user accounts.

  • Disabled user accounts.
  • Callback processing by an attacker.
  • Unauthorized account access.

Operational Fix

Recommended remediation, mitigation, and detection steps

Real-world action for this vulnerability requires immediate attention from platform and security teams. The first practical step is to identify all instances of the affected technology, confirm their exposure and business criticality, and then locate the specific owner responsible for remediation. Planning the fix should be risk-based, considering the potential impact of re-enabled administrator-disabled accounts.

  • Platform and security teams own this.
  • Verify affected instances and exposure.
  • Plan remediation based on risk.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is Gitea and what is it used for?

Gitea is a lightweight, self-hosted software development platform. Organizations use it to host Git repositories, manage project issues, and facilitate collaborative coding workflows. It provides essential infrastructure for development teams to store source code and track technical work, often integrated with external identity providers via OAuth for user authentication.

What does CWE-284 mean for CVE-2026-58422?

CWE-284 refers to Improper Access Control. In the context of CVE-2026-58422, this weakness means the software fails to properly check permissions during the OAuth sign-in callback process. Because the system does not correctly validate whether an account is permitted to sign in, it unintentionally overrides manual security blocks, effectively granting access to administrator-disabled accounts that should remain locked.

How is the OAuth callback triggered to re-enable an account?

An attacker initiates the vulnerability by triggering the OAuth sign-in workflow. When the system processes the resulting callback from the authentication provider, the flawed logic incorrectly restores the account status. This does not require an attacker to have prior specialized credentials; simply having the ability to complete the OAuth handshake against the affected Gitea instance is sufficient to bypass the intended account disablement.

Do I need to worry if my Gitea instance is on the internet?

Yes. Halo Surface Signal notes that because Gitea instances often serve as public-facing portals and OAuth endpoints are designed for network-based interaction, this vulnerability is particularly significant for internet-exposed systems. If your Gitea portal is reachable by the public to support distributed developer access, it is effectively within the reach of the trigger mechanism described for this CVE.

What are the first steps to address this Gitea vulnerability?

Begin by identifying every Gitea instance running in your environment to determine which versions are active. Confirm which systems utilize OAuth for authentication, as these are the primary targets. Once identified, assign clear ownership for each instance and coordinate with those teams to evaluate the business impact of potential unauthorized access. Prioritize these assets for updating, focusing on restoring the integrity of your account authorization controls.

References