Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-28705

CVE-2026-28705: Gitea Path Traversal Vulnerability

CVE-2026-28705 is a path traversal vulnerability in Gitea before version 1.25.5 that allows attackers to manipulate dump output paths using crafted release names. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-28705 Overview

CVE-2026-28705 is a path traversal vulnerability [CWE-22] in Gitea versions before 1.25.5. The flaw exists in the release asset dump functionality. Gitea uses release tag names and asset names as filesystem path components when writing dump output. Attackers can craft malicious tag or asset names to influence the resulting dump paths.

The vulnerability affects confidentiality only, with no impact to integrity or availability. Exploitation requires no authentication or user interaction and can be performed over the network.

Critical Impact

Specially crafted release tag or asset names can manipulate dump output paths, potentially exposing files outside the intended dump directory during Gitea release asset export operations.

Affected Products

  • Gitea versions prior to 1.25.5
  • Self-hosted Gitea instances performing release asset dumps
  • Gitea repositories exposing release creation to untrusted users

Discovery Timeline

  • 2026-07-03 - CVE-2026-28705 published to NVD
  • 2026-07-07 - Last updated in NVD database
  • Gitea v1.25.5 - Patch released addressing the path traversal issue via pull requests #36799 and #36839

Technical Details for CVE-2026-28705

Vulnerability Analysis

The vulnerability resides in Gitea's release asset dump logic. When Gitea generates dump archives of release assets, it constructs output file paths by concatenating the release tag name and asset name directly onto the destination directory. These attacker-controllable strings are not sanitized to remove directory traversal sequences or absolute path components.

An attacker with permission to create a release or upload a release asset can supply names containing path separators or .. sequences. When an administrator or automated process dumps the repository, the dump writer resolves these names against the target directory, causing files to be written to or read from unintended locations on the host filesystem.

The scope is limited to confidentiality impact. The attacker cannot directly modify arbitrary files through this flaw, but dump content placement can expose data to unauthorized locations. See the Gitea 1.25.5 release announcement for the vendor's summary.

Root Cause

The root cause is missing input validation on release tag names and asset names before their use as filesystem path components. The dump routine trusted repository metadata as safe path input and did not apply canonicalization or reject traversal sequences.

Attack Vector

The attack vector is network-based and requires no privileges or user interaction. An attacker creates a release with a tag name or asset filename containing traversal sequences such as ../ or leading path separators. When the Gitea instance performs a dump operation on that repository, the crafted name alters the resolved output path.

Refer to the Gitea v1.25.5 release notes and the linked pull requests for the exact code paths modified by the fix.

Detection Methods for CVE-2026-28705

Indicators of Compromise

  • Release tag names or asset filenames containing ../, ..\, or leading / characters
  • Dump output files appearing outside the configured dump destination directory
  • Unexpected files or directories created on the Gitea host during scheduled dump operations
  • Audit log entries showing release creation with unusual character sequences in tag or asset names

Detection Strategies

  • Enumerate all releases and assets across hosted repositories and flag names containing path traversal sequences or non-printable characters
  • Compare dump archive contents against the expected repository asset inventory to identify path anomalies
  • Review Gitea application logs for release creation events preceding dump operations

Monitoring Recommendations

  • Monitor filesystem writes performed by the Gitea service process for paths outside its configured working directories
  • Alert on release or tag creation events containing traversal metacharacters
  • Track version metadata of running Gitea instances to confirm they are at 1.25.5 or later

How to Mitigate CVE-2026-28705

Immediate Actions Required

  • Upgrade all Gitea deployments to version 1.25.5 or later without delay
  • Audit existing repositories for releases and assets with suspicious names and remove or rename them
  • Restrict release creation permissions to trusted users on internet-facing Gitea instances
  • Avoid running release asset dump operations on untrusted repositories until patched

Patch Information

Gitea addressed the issue in version 1.25.5. The relevant code changes are in pull requests #36799 and #36839, which sanitize tag and asset names before use as path components. Download the release from the Gitea v1.25.5 release page.

Workarounds

  • Disable release asset dump operations until the upgrade to 1.25.5 is completed
  • Limit release creation to authenticated internal users through repository permission controls
  • Run the Gitea service under a least-privilege user account with restricted filesystem write scope
bash
# Verify installed Gitea version
gitea --version

# Example upgrade steps (binary install)
systemctl stop gitea
wget https://github.com/go-gitea/gitea/releases/download/v1.25.5/gitea-1.25.5-linux-amd64
mv gitea-1.25.5-linux-amd64 /usr/local/bin/gitea
chmod +x /usr/local/bin/gitea
systemctl start gitea

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.