CVE-2026-28740 Overview
CVE-2026-28740 is an authorization bypass vulnerability in Gitea versions up to and including 1.26.2. The flaw allows Git Large File Storage (LFS) object reuse to authorize access to private source objects for users who have repository access but lack Code-unit access. This weakness is categorized under CWE-639: Authorization Bypass Through User-Controlled Key. Gitea addressed the issue in versions 1.26.3 and 1.26.4.
Critical Impact
Authenticated users without Code-unit permissions can retrieve private source content by reusing existing Git LFS object references, bypassing intended repository access controls.
Affected Products
- Gitea versions up to and including 1.26.2
- Self-hosted Gitea instances with Git LFS enabled
- Repositories using Gitea's unit-based access control (Code-unit restrictions)
Discovery Timeline
- 2026-07-03 - CVE-2026-28740 published to NVD
- 2026-07-07 - Last updated in NVD database
Technical Details for CVE-2026-28740
Vulnerability Analysis
Gitea uses a granular permission model that separates repository access from unit-level permissions such as Code, Issues, Pull Requests, and Wiki. A user can hold repository membership while being denied access to the Code unit, restricting their ability to view source content.
The vulnerability arises in how Gitea authorizes Git LFS object retrieval. Git LFS stores large binary artifacts as content-addressable objects referenced by object identifiers (OIDs). When a user requests an LFS object, Gitea validates access based on LFS object ownership rather than validating whether the requester holds the Code-unit permission for the source repository. This mismatch allows a user with repository access but no Code-unit access to fetch LFS objects tied to private source material.
Root Cause
The root cause is inconsistent authorization enforcement between repository-level access and unit-level access, aligned with [CWE-639]. The LFS object reuse path authorizes requests using a key controllable by the requester (the LFS OID and repository reference) without cross-checking Code-unit permissions. Fix details are documented in the Gitea Pull Request Discussion and the GitHub Security Advisory GHSA-2m9v-5q2g-58vq.
Attack Vector
An authenticated attacker with any repository-level access but no Code-unit permission can craft LFS object retrieval requests that reference OIDs associated with private source content. Gitea returns the LFS object without enforcing the Code-unit check. Exploitation requires knowledge of valid OIDs or the ability to reuse OIDs shared across repositories. The attack complexity is elevated because the attacker must obtain valid object references, but no user interaction is required. See the Gitea Release Announcement for vendor context.
Detection Methods for CVE-2026-28740
Indicators of Compromise
- Unexpected GET requests to /<owner>/<repo>.git/info/lfs/objects/<oid> from accounts without Code-unit permissions.
- LFS object downloads by users whose role explicitly excludes the Code unit for the target repository.
- Elevated LFS API traffic from low-privilege accounts across multiple private repositories.
Detection Strategies
- Review Gitea access logs and correlate LFS endpoint access against each user's unit permission set.
- Enable and audit Gitea's authentication and repository activity logs for anomalous LFS object retrieval patterns.
- Baseline normal LFS access per user role and alert on deviations, particularly for users lacking Code-unit access.
Monitoring Recommendations
- Forward Gitea application and reverse proxy logs to a centralized log platform for correlation and retention.
- Alert on LFS endpoint requests originating from accounts that recently had Code-unit access revoked.
- Track outbound data volumes from LFS endpoints to identify bulk retrieval of private objects.
How to Mitigate CVE-2026-28740
Immediate Actions Required
- Upgrade Gitea to version 1.26.3 or 1.26.4 immediately, as documented in the Gitea Version 1.26.3 Release.
- Audit user and team permissions to identify accounts that hold repository access but lack Code-unit access.
- Review LFS access logs for prior unauthorized object retrievals since the affected versions were deployed.
Patch Information
Gitea released patched versions 1.26.3 and 1.26.4 that enforce Code-unit permission checks on Git LFS object retrieval. Details are available in the GitHub Security Advisory GHSA-2m9v-5q2g-58vq and the corresponding Gitea Pull Request Discussion.
Workarounds
- Disable Git LFS in the Gitea configuration if the feature is not required by your workflows.
- Restrict access to private repositories to users who legitimately require both repository and Code-unit permissions until patching is complete.
- Place Gitea behind a reverse proxy that filters or rate-limits /info/lfs/objects/ endpoints for lower-privilege sessions.
# Disable Git LFS in app.ini until patched
[server]
LFS_START_SERVER = false
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

