CVE-2026-20779
HighCVSS 7.1Exploitation Probability (EPSS)
Low risk38th percentile — higher than 38% of all known CVEs
Summary
A vulnerability in Gitea versions 1.5.0 through 1.26.2 allows a valid TOTP code to be reused multiple times in two-factor authentication flows via web and Basic Auth with the X-Gitea-OTP header.
Risk Assessment
An attacker who captures a valid TOTP code can reuse it to gain unauthorized access to user accounts despite two-factor authentication being enabled.
Recommendation
Upgrade Gitea to version 1.26.3 or later immediately to remediate this vulnerability.
Original NVD description (English source)
Gitea versions from 1.5.0 before 1.26.3 have a TOTP single-use enforcement defect that allows a valid TOTP code to be accepted more than once across web two-factor authentication flows and the Basic Auth X-Gitea-OTP path.

