CVE Catalog

CVE-2026-26232

Low risk· EPSS 6%
Published: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.17%

6th percentile — higher than 6% of all known CVEs

Summary

A vulnerability in Gitea before version 1.25.5 allows reuse of expired or single-use OAuth2 authorization codes during token exchange. Inconsistent enforcement of code expiry and single-use behavior may lead to unauthorized access.

Risk Assessment

An attacker could intercept an expired or already used authorization code and exchange it for a valid token, gaining unauthorized access to user accounts and data within the Gitea system.

Recommendation

Immediately upgrade Gitea to version 1.25.5 or later, which includes a fix enforcing OAuth2 authorization code expiry and single-use behavior.

Original NVD description (English source)

Gitea versions before 1.25.5 do not consistently enforce OAuth2 authorization code expiry and single-use behavior during token exchange.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS