CVE-2026-22874: Gitea webhook and migration allow-list filtering permits SSRF
Gitea versions up to and including 1.26.2 have incomplete SSRF protection in webhook and migration allow-list filtering.
Metrics
- CVSS v3.1
- 9.6
- Severity
- CRITICAL
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
This is a server-side request forgery (SSRF) vulnerability in Gitea's Open Source Git Server, affecting all versions up to and including 1.26.2. The flaw exists in the webhook and migration allow-list filtering logic, which can be bypassed by a network-accessible attacker holding any valid Gitea account. Successful exploitation lets the attacker force the Gitea server to make arbitrary outbound HTTP requests, reading internal services and modifying data reachable from the server's network position. HarborGuard is tracking this advisory for patch availability and will make a patched-image rebuild available the moment Gitea publishes a fix.
HarborGuard Coverage
Detection is available across every HarborGuard environment: the CVE is ingested from upstream vulnerability feeds within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built Gitea images. Any image layer carrying a Gitea binary at version 1.26.2 or earlier is flagged automatically.
AvailableHarborGuard is capable of scoring this finding at CVSS 9.6 (Critical) and weighting it against each customer environment's compliance policy to determine urgency tier. Triage routing is available to direct the alert to the appropriate team inbox within each customer organization based on image ownership and policy configuration.
AvailableBecause no upstream fix version has been published, HarborGuard re-checks this advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment Gitea releases a corrected version. For customers with auto-remediation enabled, the rebuild, regression test run, and a PR against affected workloads will be initiated without manual intervention once a fix is available.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The attacker must be able to reach the Gitea service over the network; the vulnerability is remotely exploitable via standard HTTP/HTTPS access to the Gitea instance.
- AuthenticationRequired
Any low-privilege Gitea account is sufficient; the attacker does not need administrative or elevated permissions.
- Victim interactionNot required
No action from another user or administrator is needed; the attacker can trigger the SSRF entirely through their own authenticated requests.
- Attack complexityDetail
Exploitation is reliable and condition-free; no race conditions, memory layout dependencies, or special environmental factors need to be arranged.
Blast Radius
- The attacker can instruct the Gitea server to issue HTTP requests to internal network endpoints, exposing metadata services, internal APIs, and other services not intended to be reachable from outside the host network.
- Internal service responses are returned through Gitea, allowing the attacker to read credentials, tokens, configuration data, and other sensitive information held by adjacent internal systems.
- The attacker can send authenticated requests to internal services that accept writes, modifying configuration, creating resources, or triggering actions on systems that trust traffic originating from the Gitea host.
- Because the scope is changed (S:C in the CVSS vector), impact extends beyond the Gitea application itself to any internal system the server can reach.
How HarborGuard Handles This
Available on HarborGuard: this CVE is actively tracked on every ingest cycle against all customer images running Gitea 1.26.2 or earlier. Because no upstream fix has been published, the recommended immediate compensating controls include applying strict egress network policies on the container or pod running Gitea to block outbound requests to internal RFC-1918 address ranges and cloud metadata endpoints (such as 169.254.169.254), disabling or tightly restricting the webhook and repository migration features via Gitea's application configuration if those features are not required, and enforcing network-level segmentation so the Gitea host cannot reach sensitive internal services. HarborGuard will surface this finding as Critical in the compliance dashboard and route it according to each customer environment's policy configuration. The moment Gitea publishes a patched release, HarborGuard will make a rebuilt image available; for customers who opt into auto-remediation, the rebuild, regression test run, and a PR opened against affected workloads will follow automatically, with median time from patch publication to merged PR running around 90 minutes for Critical-severity issues in environments with auto-remediation enabled.
- Gitea / Gitea Open Source Git Server≤ 1.26.2
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N