CVE Catalog

CVE-2026-58426

CriticalCVSS 9.6
Published: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.18%

7th percentile — higher than 7% of all known CVEs

Summary

The vulnerability in Gitea Actions Artifacts V4 stems from HMAC ambiguity in signed URLs, allowing cross-repository artifact read and cross-task upload-state write.

Risk Assessment

An attacker can access confidential data stored as artifacts in other repositories or manipulate upload states, leading to data integrity and confidentiality breaches.

Recommendation

Immediately update Gitea to a patched version that resolves the HMAC ambiguity in signed URLs and implement access verification mechanisms for artifacts.

Original NVD description (English source)

Gitea Actions Artifacts V4 signed URL HMAC ambiguity allows cross-repository artifact read and cross-task upload-state write

Vulnerability data from NVD (NIST) · CISA KEV · EPSS