HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-22874Published Modified CNA Gitea

CVE-2026-22874: Gitea webhook and migration allow-list filtering permits SSRF

Gitea versions up to and including 1.26.2 have incomplete SSRF protection in webhook and migration allow-list filtering.

Metrics

CVSS v3.1
9.6
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is a server-side request forgery (SSRF) vulnerability in Gitea's Open Source Git Server, affecting all versions up to and including 1.26.2. The flaw exists in the webhook and migration allow-list filtering logic, which can be bypassed by a network-accessible attacker holding any valid Gitea account. Successful exploitation lets the attacker force the Gitea server to make arbitrary outbound HTTP requests, reading internal services and modifying data reachable from the server's network position. HarborGuard is tracking this advisory for patch availability and will make a patched-image rebuild available the moment Gitea publishes a fix.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream vulnerability feeds within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built Gitea images. Any image layer carrying a Gitea binary at version 1.26.2 or earlier is flagged automatically.

Available
Triage

HarborGuard is capable of scoring this finding at CVSS 9.6 (Critical) and weighting it against each customer environment's compliance policy to determine urgency tier. Triage routing is available to direct the alert to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available
Patch

Because no upstream fix version has been published, HarborGuard re-checks this advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment Gitea releases a corrected version. For customers with auto-remediation enabled, the rebuild, regression test run, and a PR against affected workloads will be initiated without manual intervention once a fix is available.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must be able to reach the Gitea service over the network; the vulnerability is remotely exploitable via standard HTTP/HTTPS access to the Gitea instance.

  • AuthenticationRequired

    Any low-privilege Gitea account is sufficient; the attacker does not need administrative or elevated permissions.

  • Victim interactionNot required

    No action from another user or administrator is needed; the attacker can trigger the SSRF entirely through their own authenticated requests.

  • Attack complexityDetail

    Exploitation is reliable and condition-free; no race conditions, memory layout dependencies, or special environmental factors need to be arranged.

Blast Radius

  • The attacker can instruct the Gitea server to issue HTTP requests to internal network endpoints, exposing metadata services, internal APIs, and other services not intended to be reachable from outside the host network.
  • Internal service responses are returned through Gitea, allowing the attacker to read credentials, tokens, configuration data, and other sensitive information held by adjacent internal systems.
  • The attacker can send authenticated requests to internal services that accept writes, modifying configuration, creating resources, or triggering actions on systems that trust traffic originating from the Gitea host.
  • Because the scope is changed (S:C in the CVSS vector), impact extends beyond the Gitea application itself to any internal system the server can reach.

How HarborGuard Handles This

Available on HarborGuard: this CVE is actively tracked on every ingest cycle against all customer images running Gitea 1.26.2 or earlier. Because no upstream fix has been published, the recommended immediate compensating controls include applying strict egress network policies on the container or pod running Gitea to block outbound requests to internal RFC-1918 address ranges and cloud metadata endpoints (such as 169.254.169.254), disabling or tightly restricting the webhook and repository migration features via Gitea's application configuration if those features are not required, and enforcing network-level segmentation so the Gitea host cannot reach sensitive internal services. HarborGuard will surface this finding as Critical in the compliance dashboard and route it according to each customer environment's policy configuration. The moment Gitea publishes a patched release, HarborGuard will make a rebuilt image available; for customers who opt into auto-remediation, the rebuild, regression test run, and a PR opened against affected workloads will follow automatically, with median time from patch publication to merged PR running around 90 minutes for Critical-severity issues in environments with auto-remediation enabled.

See how HarborGuard automates this
Affected packages
  • Gitea / Gitea Open Source Git Server
    ≤ 1.26.2
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N