CVE Catalog
CVE-2026-58426
CriticalCVSS 9.6Exploitation Probability (EPSS)
Low risk0.18%
7th percentile — higher than 7% of all known CVEs
Summary
The vulnerability in Gitea Actions Artifacts V4 stems from HMAC ambiguity in signed URLs, allowing cross-repository artifact read and cross-task upload-state write.
Risk Assessment
An attacker can access confidential data stored as artifacts in other repositories or manipulate upload states, leading to data integrity and confidentiality breaches.
Recommendation
Immediately update Gitea to a patched version that resolves the HMAC ambiguity in signed URLs and implement access verification mechanisms for artifacts.
Original NVD description (English source)
Gitea Actions Artifacts V4 signed URL HMAC ambiguity allows cross-repository artifact read and cross-task upload-state write

