CVE-2026-22874
CriticalCVSS 9.6Exploitation Probability (EPSS)
Low risk37th percentile — higher than 37% of all known CVEs
Summary
CVE-2026-22874 affects Gitea versions up to and including 1.26.2. The SSRF protection in webhook and migration allow-list filtering is incomplete, potentially allowing an attacker to bypass security controls.
Risk Assessment
The risk involves the possibility of an attacker making unauthorized requests to internal network resources, which could lead to data leakage, privilege escalation, or further attacks on the infrastructure.
Recommendation
It is recommended to immediately upgrade Gitea to a version later than 1.26.2 that includes a fix for this vulnerability. Also review and strengthen network traffic filtering rules.
Original NVD description (English source)
Gitea versions up to and including 1.26.2 have incomplete SSRF protection in webhook and migration allow-list filtering.

