Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-26307

CVE-2026-26307: Gitea Git Grep DoS Vulnerability

CVE-2026-26307 is a denial of service flaw in Gitea versions before 1.25.5 that allows expensive git grep searches to consume server resources. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-26307 Overview

CVE-2026-26307 is a resource exhaustion vulnerability in Gitea versions before 1.25.5. The application does not enforce a timeout on git grep code search operations. Authenticated or unauthenticated users can submit expensive search queries that consume substantial CPU and memory on the server. Repeated or crafted searches can degrade service availability for all users of the instance. The issue is classified under CWE-400: Uncontrolled Resource Consumption and impacts availability without affecting confidentiality or integrity. Gitea released version 1.25.5 to address the flaw.

Critical Impact

Attackers can trigger unbounded git grep operations to exhaust server CPU and memory, causing denial of service against Gitea instances exposed over the network.

Affected Products

  • Gitea versions prior to 1.25.5
  • Self-hosted Gitea deployments exposing repository search functionality
  • Gitea instances with public or authenticated code search enabled

Discovery Timeline

  • 2026-07-03 - CVE-2026-26307 published to NVD
  • 2026-07-09 - Last updated in NVD database

Technical Details for CVE-2026-26307

Vulnerability Analysis

Gitea exposes a code search feature that invokes the underlying git grep command against repository contents. In versions prior to 1.25.5, the invocation does not apply an execution timeout or a resource ceiling. Search requests that match extremely large files, deeply nested history, or complex regular expressions execute until completion. An attacker who submits several such requests in parallel forces the server to allocate CPU cycles and memory to each git grep process. Available worker threads become saturated, and legitimate user requests queue or fail. The vulnerability requires no authentication when repositories are publicly readable, which is common for open-source hosting.

Root Cause

The root cause is the absence of a bounded execution context around git grep invocations. Gitea launched the subprocess without a cancellation deadline or context timeout, allowing runaway searches to persist. The upstream fixes in pull request #36809 and pull request #36835 introduce timeout enforcement on the search path.

Attack Vector

Exploitation is remote and network-based. An attacker sends HTTP requests to the Gitea code search endpoint with search patterns designed to maximize git grep runtime. Complex regular expressions applied across large repositories produce sustained CPU load. Repeated concurrent requests amplify the effect until the host becomes unresponsive. No user interaction is required, and privileges are not needed against public repositories.

No public exploitation code is available. The vulnerability mechanism is described in the Gitea 1.25.5 release announcement.

Detection Methods for CVE-2026-26307

Indicators of Compromise

  • Sustained high CPU utilization tied to git grep child processes spawned by the Gitea service account
  • Elevated response latency or HTTP 5xx errors from Gitea search endpoints
  • Large volumes of requests to code search URLs from a small set of source IP addresses
  • Repository search queries containing broad or catastrophic backtracking regular expressions

Detection Strategies

  • Monitor process telemetry for long-running git grep executions exceeding expected search durations
  • Alert on repeated access to /search, /issues, or /code search paths with anomalous query complexity
  • Correlate spikes in Gitea worker thread saturation with concurrent inbound search requests

Monitoring Recommendations

  • Instrument the Gitea host to track per-process CPU seconds and memory RSS for git subprocesses
  • Forward web server access logs to a centralized platform for baselining search endpoint traffic
  • Track service-level indicators such as request queue depth and HTTP 503 rates for the Gitea reverse proxy

How to Mitigate CVE-2026-26307

Immediate Actions Required

  • Upgrade Gitea to version 1.25.5 or later using the artifacts published at the v1.25.5 release page
  • Restrict anonymous access to repository search on internet-facing instances until the upgrade is complete
  • Place Gitea behind a reverse proxy that enforces request rate limits on search endpoints

Patch Information

Gitea 1.25.5 enforces a timeout on git grep executions. The fix ships in the commits associated with pull request #36809 and pull request #36835. Administrators should validate the running binary reports version 1.25.5 or later after the upgrade.

Workarounds

  • Apply reverse proxy rate limiting to search URLs to cap concurrent expensive queries per client
  • Disable public code search on repositories that do not require it until patching is complete
  • Constrain the Gitea service using operating system controls such as cgroups to cap CPU and memory usage
bash
# Example nginx rate limit for Gitea search endpoints
limit_req_zone $binary_remote_addr zone=gitea_search:10m rate=5r/m;

server {
    location ~ ^/(search|issues|.*/search) {
        limit_req zone=gitea_search burst=10 nodelay;
        proxy_pass http://gitea_backend;
        proxy_read_timeout 15s;
    }
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.