CVE-2026-26232
Low risk· EPSS 6%Exploitation Probability (EPSS)
Low risk6th percentile — higher than 6% of all known CVEs
Summary
A vulnerability in Gitea before version 1.25.5 allows reuse of expired or single-use OAuth2 authorization codes during token exchange. Inconsistent enforcement of code expiry and single-use behavior may lead to unauthorized access.
Risk Assessment
An attacker could intercept an expired or already used authorization code and exchange it for a valid token, gaining unauthorized access to user accounts and data within the Gitea system.
Recommendation
Immediately upgrade Gitea to version 1.25.5 or later, which includes a fix enforcing OAuth2 authorization code expiry and single-use behavior.
Original NVD description (English source)
Gitea versions before 1.25.5 do not consistently enforce OAuth2 authorization code expiry and single-use behavior during token exchange.

