CVE Catalog

CVE-2026-20779

HighCVSS 7.1
Published: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.48%

38th percentile — higher than 38% of all known CVEs

Summary

A vulnerability in Gitea versions 1.5.0 through 1.26.2 allows a valid TOTP code to be reused multiple times in two-factor authentication flows via web and Basic Auth with the X-Gitea-OTP header.

Risk Assessment

An attacker who captures a valid TOTP code can reuse it to gain unauthorized access to user accounts despite two-factor authentication being enabled.

Recommendation

Upgrade Gitea to version 1.26.3 or later immediately to remediate this vulnerability.

Original NVD description (English source)

Gitea versions from 1.5.0 before 1.26.3 have a TOTP single-use enforcement defect that allows a valid TOTP code to be accepted more than once across web two-factor authentication flows and the Basic Auth X-Gitea-OTP path.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS