HIGHCVE-2026-28740Published Modified CNA Gitea
CVE-2026-28740: Gitea LFS object reuse bypasses Code-unit authorization
Gitea versions up to and including 1.26.2 allow Git LFS object reuse to authorize private source objects for users who have repository access but lack Code-unit access.
Metrics
- CVSS v3.1
- 7.1
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
Affected packages
- Gitea / Gitea Open Source Git Server≤ 1.26.2
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N