Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-58426

CVE-2026-58426: Gitea Actions Information Disclosure Flaw

CVE-2026-58426 is an information disclosure vulnerability in Gitea Actions Artifacts V4 that enables cross-repository artifact access and cross-task upload-state manipulation. This article covers technical details, affected versions, impact, and mitigation strategies.

Published:

CVE-2026-58426 Overview

CVE-2026-58426 affects Gitea's Actions Artifacts V4 implementation. The vulnerability stems from HMAC signature ambiguity in the signed URLs used to authorize artifact operations. An authenticated attacker with low privileges can forge or reuse signed URLs to read artifacts belonging to other repositories and write upload-state data across tasks. The flaw is categorized under [CWE-347] Improper Verification of Cryptographic Signature. Gitea released version 1.26.2 to address the issue.

Critical Impact

Attackers with basic Actions access can read private artifacts from other repositories and tamper with upload-state records belonging to unrelated CI/CD tasks, breaking tenant isolation across the Gitea instance.

Affected Products

  • Gitea (Actions Artifacts V4 subsystem)
  • Gitea versions prior to 1.26.2
  • Self-hosted Gitea instances running Actions runners

Discovery Timeline

  • 2026-07-03 - CVE-2026-58426 published to NVD
  • 2026-07-06 - Last updated in NVD database

Technical Details for CVE-2026-58426

Vulnerability Analysis

Gitea Actions Artifacts V4 uses HMAC-signed URLs to authorize artifact uploads, downloads, and state transitions between the Gitea server and Actions runners. The signed URL scheme concatenates fields such as artifact identifiers, task identifiers, and repository scope into the HMAC input without unambiguous field separators or type binding. This produces canonicalization ambiguity where different logical parameter sets generate the same HMAC digest.

An attacker holding a legitimately signed URL for their own task can restructure the request parameters to point at artifacts owned by unrelated repositories while the recomputed signature still validates. The server accepts the request as authentic and returns cross-tenant artifact data or writes upload-state metadata attributed to a foreign task.

Root Cause

The root cause is improper signature verification design. The HMAC input lacks length-prefixing and unique field delimiters, so concatenated parameters are not uniquely bound to their positions. Gitea pull request #37707 restructures the signing payload to remove the ambiguity and enforces strict scope checks after signature validation.

Attack Vector

Exploitation requires network access to the Gitea API and low-privilege authenticated access, typically a valid Actions runner token or repository contributor account. The attacker requests a legitimate signed artifact URL, then substitutes target repository or task identifiers before submitting the crafted request. The scope changes without invalidating the HMAC, giving the attacker cross-repository read access to artifacts and cross-task write access to upload state. No user interaction is required, and the scope boundary between repositories is crossed, which drives the high confidentiality and integrity impact.

See the GitHub Security Advisory GHSA-hg5r-vq93-9fv6 for maintainer analysis.

Detection Methods for CVE-2026-58426

Indicators of Compromise

  • Requests to /api/actions_pipeline/_apis/pipelines/workflows/*/artifacts where the repository or task identifier in the URL does not match the caller's active job context.
  • Signed artifact URLs reused across multiple distinct task or repository identifiers within short time windows.
  • Unexpected artifact download volume from a single runner token targeting repositories that runner is not assigned to.

Detection Strategies

  • Correlate Gitea access logs against the job_id and repo_id fields in the Actions task database to flag mismatches between signed URL scope and authenticated caller.
  • Alert on HTTP 200 responses to artifact endpoints where the requesting runner has no active task in the target repository.
  • Baseline normal signed URL lifetimes and flag requests that reuse the same signature with modified query parameters.

Monitoring Recommendations

  • Enable verbose logging on the routers/api/actions package and forward logs to a centralized SIEM for retention.
  • Monitor artifact storage backends (local, S3, MinIO) for read patterns that do not correspond to a matching artifact upload event.
  • Track Gitea version strings across the fleet to confirm all instances run 1.26.2 or later.

How to Mitigate CVE-2026-58426

Immediate Actions Required

  • Upgrade all Gitea instances to version 1.26.2 or later using the Gitea 1.26.2 release notes.
  • Rotate Actions runner registration tokens and any long-lived repository access tokens after patching.
  • Audit artifact storage for reads attributed to tasks that did not upload the corresponding artifact.

Patch Information

Gitea 1.26.2 contains the fix delivered through pull request #37707. The patch restructures the HMAC payload so artifact identifiers, task identifiers, and repository scope are unambiguously bound to the signature, and it adds server-side scope validation after signature verification. Full release details are available in the Gitea 1.26.2 blog announcement.

Workarounds

  • Disable Gitea Actions on affected instances until the upgrade to 1.26.2 is completed if immediate patching is not possible.
  • Restrict runner registration to trusted repositories and disable global runners that service multiple tenants.
  • Place the Gitea Actions API behind a reverse proxy that enforces per-runner IP allow-lists to reduce exposure.
bash
# Verify installed Gitea version and upgrade if below 1.26.2
gitea --version
# Example upgrade for binary installs
systemctl stop gitea
wget https://github.com/go-gitea/gitea/releases/download/v1.26.2/gitea-1.26.2-linux-amd64 -O /usr/local/bin/gitea
chmod +x /usr/local/bin/gitea
systemctl start gitea

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.