CVE-2026-28740: CWE-639 in Gitea Gitea Open Source Git Server
Gitea versions up to and including 1.26.2 contain a vulnerability that allows unauthorized reuse of Git LFS objects. This flaw permits users with repository access but without Code-unit access to gain authorization to private source objects. The vulnerability is identified as CWE-639 and CWE-863 and has a CVSS score of 7.1, indicating high severity.
AI Analysis
Technical Summary
CVE-2026-28740 affects Gitea Open Source Git Server versions up to 1.26.2. The vulnerability involves improper authorization checks related to Git Large File Storage (LFS) object reuse. Specifically, users who have access to a repository but lack the necessary Code-unit access can exploit this to access private source objects. This is classified under CWE-639 (Authorization Bypass Through User-Controlled Key) and CWE-863 (Incorrect Authorization). The CVSS v3.1 score is 7.1 with vector AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N, indicating network attack vector, high attack complexity, low privileges required, no user interaction, scope changed, high confidentiality impact, low integrity impact, and no availability impact.
Potential Impact
The vulnerability allows unauthorized users with repository access but without Code-unit access to gain access to private source objects via Git LFS object reuse. This results in a high confidentiality impact, as sensitive source code could be exposed. Integrity impact is low, and availability is not affected. There are no known exploits in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. No official fix or patch information is currently available. Until a patch is released, restrict repository access carefully and monitor for unusual access patterns related to Git LFS objects.
CVE-2026-28740: CWE-639 in Gitea Gitea Open Source Git Server
Description
Gitea versions up to and including 1.26.2 contain a vulnerability that allows unauthorized reuse of Git LFS objects. This flaw permits users with repository access but without Code-unit access to gain authorization to private source objects. The vulnerability is identified as CWE-639 and CWE-863 and has a CVSS score of 7.1, indicating high severity.
CVSS v3.1
Score 7.1high
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-28740 affects Gitea Open Source Git Server versions up to 1.26.2. The vulnerability involves improper authorization checks related to Git Large File Storage (LFS) object reuse. Specifically, users who have access to a repository but lack the necessary Code-unit access can exploit this to access private source objects. This is classified under CWE-639 (Authorization Bypass Through User-Controlled Key) and CWE-863 (Incorrect Authorization). The CVSS v3.1 score is 7.1 with vector AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N, indicating network attack vector, high attack complexity, low privileges required, no user interaction, scope changed, high confidentiality impact, low integrity impact, and no availability impact.
Potential Impact
The vulnerability allows unauthorized users with repository access but without Code-unit access to gain access to private source objects via Git LFS object reuse. This results in a high confidentiality impact, as sensitive source code could be exposed. Integrity impact is low, and availability is not affected. There are no known exploits in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. No official fix or patch information is currently available. Until a patch is released, restrict repository access carefully and monitor for unusual access patterns related to Git LFS objects.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Gitea
- Date Reserved
- 2026-03-03T03:25:59.982Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a4820ff27e9c79719acc11a
Added to database: 07/03/2026, 20:52:15 UTC
Last enriched: 07/03/2026, 21:03:23 UTC
Last updated: 07/03/2026, 23:00:48 UTC
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.