CVE-2026-58426
Gitea Actions Artifacts HMAC Ambiguity Allows Unauthorized Access and Data Modification.
Halo Surface Signal: 4 out of 5 — likely to be public-facing.
A critical vulnerability in Gitea Actions Artifacts could permit unauthorized cross-repository artifact reading and upload-state writing due to an HMAC ambiguity in signed URLs. This could expose sensitive information or allow unauthorized modifications to task states if the Gitea deployment is reachable.