CVE-2026-22547 Overview
CVE-2026-22547 affects Gitea versions before 1.25.5. The self-hosted Git service fails to enforce validation constraints on repository creation fields. Affected inputs include length-limited template fields and trust model or object format values. The weakness is classified as improper input validation [CWE-20]. An unauthenticated network attacker can submit malformed field values during repository creation, impacting confidentiality and integrity of the Gitea instance.
Critical Impact
Attackers can supply unchecked values for template fields, trust model, and object format during repository creation, undermining data integrity across Gitea repositories.
Affected Products
- Gitea versions prior to 1.25.5
- Self-hosted Gitea Git service instances
- Repository creation API and web endpoints
Discovery Timeline
- 2026-07-03 - CVE-2026-22547 published to NVD
- 2026-07-07 - Last updated in NVD database
Technical Details for CVE-2026-22547
Vulnerability Analysis
Gitea exposes repository creation through both its web UI and REST API. Before version 1.25.5, the server did not enforce length limits or allowed-value constraints on several repository creation fields. Template fields, the trust model selector, and the object format selector accepted values outside their intended ranges.
The issue is an input validation weakness [CWE-20]. The service processes user-supplied fields without confirming that they conform to expected formats or enumerated values. The fix landed through pull requests #36671 and #36757 and shipped in the v1.25.5 release.
Root Cause
Repository creation handlers accepted client input without server-side validation. Length-limited template fields lacked size checks. Trust model and object format parameters lacked enumeration checks against the set of valid values supported by Gitea.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction on affected configurations. An attacker sends a crafted repository creation request containing oversized template strings or unexpected trust model or object format values. The Gitea backend accepts the request and stores the malformed values, affecting downstream repository behavior and data integrity.
No verified public proof-of-concept exists. Refer to the Gitea 1.25.5 release announcement and linked pull requests for the exact code paths.
Detection Methods for CVE-2026-22547
Indicators of Compromise
- Repository entries containing oversized or malformed template field values in the Gitea database.
- Repositories created with trust model or object format values outside Gitea's supported enumerations.
- Repository creation API requests with abnormally large payloads in /api/v1/user/repos or /api/v1/orgs/{org}/repos.
Detection Strategies
- Audit the Gitea repository table for rows with unexpected trust_model or object_format values.
- Review reverse proxy or Gitea access logs for POST requests to repository creation endpoints with unusually large bodies.
- Compare the running Gitea binary version against 1.25.5 and flag any host below that release.
Monitoring Recommendations
- Alert on repository creation events performed by anonymous or newly registered accounts if open registration is enabled.
- Forward Gitea application and web server logs to a central log platform for retention and query.
- Track configuration drift on Gitea hosts to catch instances that fall behind on patching.
How to Mitigate CVE-2026-22547
Immediate Actions Required
- Upgrade Gitea to version 1.25.5 or later on all self-hosted instances.
- Disable open user registration if it is not required for the deployment.
- Restrict network access to the Gitea web and API interfaces to trusted networks where feasible.
Patch Information
The fix is included in Gitea 1.25.5. Details are available in the Gitea Blog release announcement, the v1.25.5 release tag, and pull requests #36671 and #36757. Administrators should apply the upstream release rather than backporting patches manually.
Workarounds
- Place Gitea behind a reverse proxy that enforces request body size limits on repository creation endpoints.
- Require authentication for repository creation and disable anonymous access to the API.
- Audit and remove any repositories created with malformed field values after upgrading.
# Configuration example: verify installed Gitea version and upgrade
gitea --version
# Expected output should show 1.25.5 or later
# Example upgrade steps for a binary install
systemctl stop gitea
wget https://github.com/go-gitea/gitea/releases/download/v1.25.5/gitea-1.25.5-linux-amd64
chmod +x gitea-1.25.5-linux-amd64
mv gitea-1.25.5-linux-amd64 /usr/local/bin/gitea
systemctl start gitea
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

