CVE-2026-22874: CWE-918 in Gitea Gitea Open Source Git Server
Gitea Open Source Git Server versions up to and including 1.26.2 have an incomplete Server-Side Request Forgery (SSRF) protection vulnerability in webhook and migration allow-list filtering. This vulnerability is identified as CWE-918. It allows an attacker with limited privileges to potentially cause a server-side request to unintended locations, impacting confidentiality and integrity. The vulnerability has a high CVSS score of 9.6, indicating critical severity. No official patch or remediation guidance is currently provided by the vendor. There are no known exploits in the wild at this time.
AI Analysis
Technical Summary
CVE-2026-22874 is a critical SSRF vulnerability (CWE-918) affecting Gitea Open Source Git Server versions up to and including 1.26.2. The issue arises from incomplete SSRF protection in webhook and migration allow-list filtering mechanisms, which could allow an attacker with low privileges to make the server perform unintended requests. The CVSS v3.1 base score is 9.6, reflecting network attack vector, low attack complexity, low privileges required, no user interaction, scope change, and high impact on confidentiality and integrity. No official remediation or patch has been announced by the vendor as of the publication date.
Potential Impact
Successful exploitation of this vulnerability could allow an attacker with limited privileges to perform server-side requests to internal or external systems that the server can access. This may lead to unauthorized access to sensitive information or manipulation of data, impacting confidentiality and integrity. Availability impact is not indicated. The vulnerability affects the security posture of Gitea instances by enabling potential SSRF attacks via webhook and migration features.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should consider restricting webhook and migration functionalities to trusted users and networks, and monitor for unusual request patterns related to these features. Follow updates from the Gitea project for any forthcoming patches or official mitigations.
CVE-2026-22874: CWE-918 in Gitea Gitea Open Source Git Server
Description
Gitea Open Source Git Server versions up to and including 1.26.2 have an incomplete Server-Side Request Forgery (SSRF) protection vulnerability in webhook and migration allow-list filtering. This vulnerability is identified as CWE-918. It allows an attacker with limited privileges to potentially cause a server-side request to unintended locations, impacting confidentiality and integrity. The vulnerability has a high CVSS score of 9.6, indicating critical severity. No official patch or remediation guidance is currently provided by the vendor. There are no known exploits in the wild at this time.
CVSS v3.1
Score 9.6critical
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-22874 is a critical SSRF vulnerability (CWE-918) affecting Gitea Open Source Git Server versions up to and including 1.26.2. The issue arises from incomplete SSRF protection in webhook and migration allow-list filtering mechanisms, which could allow an attacker with low privileges to make the server perform unintended requests. The CVSS v3.1 base score is 9.6, reflecting network attack vector, low attack complexity, low privileges required, no user interaction, scope change, and high impact on confidentiality and integrity. No official remediation or patch has been announced by the vendor as of the publication date.
Potential Impact
Successful exploitation of this vulnerability could allow an attacker with limited privileges to perform server-side requests to internal or external systems that the server can access. This may lead to unauthorized access to sensitive information or manipulation of data, impacting confidentiality and integrity. Availability impact is not indicated. The vulnerability affects the security posture of Gitea instances by enabling potential SSRF attacks via webhook and migration features.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should consider restricting webhook and migration functionalities to trusted users and networks, and monitor for unusual request patterns related to these features. Follow updates from the Gitea project for any forthcoming patches or official mitigations.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Gitea
- Date Reserved
- 2026-03-03T03:25:59.971Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a4820fb27e9c79719acbf2e
Added to database: 07/03/2026, 20:52:11 UTC
Last enriched: 07/03/2026, 21:00:26 UTC
Last updated: 07/03/2026, 22:31:27 UTC
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.