CVE Catalog

CVE-2026-26292

Low risk· EPSS 7%
Published: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.17%

7th percentile — higher than 7% of all known CVEs

Summary

The vulnerability in Gitea before version 1.25.5 is that LFS push and sync mirror operations do not use the migration HTTP transport, bypassing the configured migration transport protections for those LFS requests.

Risk Assessment

The organization may be exposed to unauthorized LFS data transfer outside allowed migration channels, increasing the risk of data leakage or security policy violations.

Recommendation

It is recommended to immediately upgrade Gitea to version 1.25.5 or later to ensure migration transport protections are applied to LFS operations as well.

Original NVD description (English source)

Gitea versions before 1.25.5 do not use the migration HTTP transport for LFS push and sync mirror operations, bypassing the configured migration transport protections for those LFS requests.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS