CVE-2026-26292 Overview
CVE-2026-26292 is an access control weakness in Gitea versions before 1.25.5. The self-hosted Git service fails to apply the configured migration HTTP transport to Large File Storage (LFS) push and sync mirror operations. Attackers can bypass migration transport protections that administrators rely on to restrict outbound connections to internal or unauthorized hosts. The flaw is classified under CWE-284: Improper Access Control and affects the network attack surface without requiring authentication or user interaction. Gitea addressed the issue in release 1.25.5 by routing LFS push and sync mirror traffic through the same guarded transport as other migration flows.
Critical Impact
Unauthenticated attackers can direct Gitea LFS operations to hosts that the migration transport was configured to block, enabling server-side request forgery style abuse against internal networks.
Affected Products
- Gitea versions prior to 1.25.5
- Gitea deployments using LFS push operations
- Gitea deployments using sync mirror functionality
Discovery Timeline
- 2026-07-03 - CVE-2026-26292 published to NVD
- 2026-07-07 - Last updated in NVD database
Technical Details for CVE-2026-26292
Vulnerability Analysis
Gitea supports a dedicated migration HTTP transport that administrators configure to restrict which remote hosts the server can contact during migration and mirror operations. This transport enforces allowlists, denylists, and private address filtering. The vulnerability arises because the LFS subsystem constructs its own HTTP client for push and sync mirror flows. That client does not inherit the migration transport, so LFS traffic escapes the intended controls. An attacker who can trigger an LFS push or mirror sync can point Gitea at arbitrary hosts, including internal services normally shielded from external repositories.
The issue does not require memory corruption or credential theft. It is a logic and configuration flaw in how Gitea instantiates HTTP clients for specific request types. Fixes in Pull Request #36665 and Pull Request #36691 unify the transport used for LFS operations with the migration transport.
Root Cause
The root cause is an improper access control gap [CWE-284]. LFS push and sync mirror handlers were built with a default HTTP transport rather than the hardened migration transport. Any protections encoded in the migration transport, including private network blocks and protocol restrictions, do not apply to those code paths.
Attack Vector
The attack vector is network based and requires no privileges or user interaction. An attacker who can reach the Gitea instance and initiate migration, mirror, or LFS operations can cause the server to issue LFS requests to hosts that the administrator intended to block. This exposes internal metadata services, unauthenticated admin panels, or other assets behind the Gitea host.
No verified public proof-of-concept code is available. Technical details are documented in the Gitea 1.25.5 release announcement and the Gitea v1.25.5 release notes.
Detection Methods for CVE-2026-26292
Indicators of Compromise
- Outbound LFS HTTP requests from the Gitea server to internal IP ranges such as 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, or 169.254.169.254
- Unexpected LFS push or sync mirror activity referencing hosts not present in the migration allowlist
- Gitea process connections to cloud metadata endpoints or non-Git service ports
Detection Strategies
- Correlate Gitea application logs with egress firewall logs to identify LFS traffic that bypasses the migration transport allowlist
- Alert on any HTTP requests originating from the Gitea service account to RFC1918 addresses or link-local metadata endpoints
- Baseline normal LFS destinations for each repository and flag deviations, particularly new external or internal hosts
Monitoring Recommendations
- Enable verbose logging for LFS and mirror subsystems and forward events to a centralized log platform
- Monitor for creation of mirror repositories that reference non-standard hosts or IP literals
- Track version strings reported by Gitea to confirm all instances run 1.25.5 or later
How to Mitigate CVE-2026-26292
Immediate Actions Required
- Upgrade all Gitea instances to version 1.25.5 or later using the official v1.25.5 release
- Audit existing mirror repositories and LFS configurations for suspicious remote URLs pointing at internal hosts
- Restrict Gitea egress at the network layer so that only approved external Git and LFS endpoints are reachable
Patch Information
Gitea 1.25.5 resolves CVE-2026-26292. The fix is delivered through Pull Request #36665 and Pull Request #36691, which force LFS push and sync mirror operations to use the migration HTTP transport. Review the release announcement for full upgrade guidance.
Workarounds
- Block outbound connections from the Gitea host to internal networks and cloud metadata services at the firewall level until the upgrade is applied
- Disable repository mirroring and LFS features on exposed instances if immediate patching is not possible
- Restrict who can create migrations and mirrors by tightening user permissions and requiring administrator approval
# Verify installed Gitea version and upgrade if below 1.25.5
gitea --version
# Example egress restriction using iptables to block RFC1918 destinations from the Gitea user
iptables -A OUTPUT -m owner --uid-owner gitea -d 10.0.0.0/8 -j REJECT
iptables -A OUTPUT -m owner --uid-owner gitea -d 172.16.0.0/12 -j REJECT
iptables -A OUTPUT -m owner --uid-owner gitea -d 192.168.0.0/16 -j REJECT
iptables -A OUTPUT -m owner --uid-owner gitea -d 169.254.169.254 -j REJECT
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

