CVE Catalog

CVE-2026-26247

Low risk· EPSS 6%
Published: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.17%

6th percentile — higher than 6% of all known CVEs

Summary

A vulnerability in Gitea before version 1.25.5 does not correctly persist the OAuth2 PKCE S256 challenge method during authorization, allowing token exchange without the required verifier check.

Risk Assessment

An attacker could exploit this flaw to obtain unauthorized OAuth2 tokens, potentially leading to account takeover and access to protected resources.

Recommendation

Immediately upgrade Gitea to version 1.25.5 or later, which includes a fix for this vulnerability.

Original NVD description (English source)

Gitea versions before 1.25.5 do not persist the OAuth2 PKCE S256 challenge method correctly during authorization, allowing token exchange without the expected verifier check.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS