CVE-2026-26292
Low risk· EPSS 7%Exploitation Probability (EPSS)
Low risk7th percentile — higher than 7% of all known CVEs
Summary
The vulnerability in Gitea before version 1.25.5 is that LFS push and sync mirror operations do not use the migration HTTP transport, bypassing the configured migration transport protections for those LFS requests.
Risk Assessment
The organization may be exposed to unauthorized LFS data transfer outside allowed migration channels, increasing the risk of data leakage or security policy violations.
Recommendation
It is recommended to immediately upgrade Gitea to version 1.25.5 or later to ensure migration transport protections are applied to LFS operations as well.
Original NVD description (English source)
Gitea versions before 1.25.5 do not use the migration HTTP transport for LFS push and sync mirror operations, bypassing the configured migration transport protections for those LFS requests.

