CVE Catalog

CVE-2026-28740

HighCVSS 7.1
Published: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.32%

24th percentile — higher than 24% of all known CVEs

Summary

A vulnerability in Gitea up to version 1.26.2 allows Git LFS object reuse, enabling users with repository access but without Code-unit access to authorize private source objects.

Risk Assessment

The risk involves unauthorized access to private data stored in Git LFS, potentially leading to leakage of sensitive information within the organization.

Recommendation

It is recommended to immediately upgrade Gitea to a version later than 1.26.2, which includes a fix for this security vulnerability.

Original NVD description (English source)

Gitea versions up to and including 1.26.2 allow Git LFS object reuse to authorize private source objects for users who have repository access but lack Code-unit access.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS