HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-28740Published Modified CNA Gitea

CVE-2026-28740: Gitea LFS object reuse bypasses Code-unit authorization

Gitea versions up to and including 1.26.2 allow Git LFS object reuse to authorize private source objects for users who have repository access but lack Code-unit access.

Metrics

CVSS v3.1
7.1
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

Affected packages
  • Gitea / Gitea Open Source Git Server
    ≤ 1.26.2
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N