CVE Catalog
CVE-2026-26247
Low risk· EPSS 6%Exploitation Probability (EPSS)
Low risk0.17%
6th percentile — higher than 6% of all known CVEs
Summary
A vulnerability in Gitea before version 1.25.5 does not correctly persist the OAuth2 PKCE S256 challenge method during authorization, allowing token exchange without the required verifier check.
Risk Assessment
An attacker could exploit this flaw to obtain unauthorized OAuth2 tokens, potentially leading to account takeover and access to protected resources.
Recommendation
Immediately upgrade Gitea to version 1.25.5 or later, which includes a fix for this vulnerability.
Original NVD description (English source)
Gitea versions before 1.25.5 do not persist the OAuth2 PKCE S256 challenge method correctly during authorization, allowing token exchange without the expected verifier check.

