HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-58426Published Modified CNA Gitea

CVE-2026-58426: Gitea Actions Artifacts V4 signed URL HMAC ambiguity allows cross-repository artifact read and cross-task upload-state write

Gitea Actions Artifacts V4 signed URL HMAC ambiguity allows cross-repository artifact read and cross-task upload-state write

Metrics

CVSS v3.1
9.6
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is an HMAC signature ambiguity vulnerability in the Gitea Actions Artifacts V4 signed URL implementation, affecting Gitea Open Source Git Server versions up to and including 1.26.1. An authenticated attacker with a low-privilege account can reach the affected endpoint over the network and exploit the ambiguous HMAC construction to forge valid signed URLs for other repositories or tasks. Successful exploitation gives the attacker unauthorized read access to artifacts stored in other repositories and the ability to write upload state across task boundaries, compromising both confidentiality and integrity of CI/CD artifact data. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment Gitea publishes a fix version.

HarborGuard Coverage

Detection

Detection of CVE-2026-58426 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images derived from Gitea base layers. Any image running Gitea 1.26.1 or earlier is flagged in the affected environment's scan results.

Available
Triage

HarborGuard scores this CVE at CVSS 9.6 (Critical) and surfaces it at the top of each affected environment's alert queue, weighted further by any per-environment compliance policy that elevates CI/CD pipeline components. Routing rules can direct the finding to the team inbox responsible for internal developer tooling or SCM infrastructure within each customer org.

Available
Patch

Because no upstream fix version has been published, HarborGuard re-checks the Gitea advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix is released. For customers who opt into auto-remediation, the rebuild, regression-test run, and PR against affected workloads will be triggered without manual intervention once the upstream patch ships.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the Gitea Actions Artifacts V4 API endpoint over the network; the service must be accessible from the attacker's network location.

  • AuthenticationRequired

    A low-privilege account is sufficient; the attacker must hold valid Gitea credentials but does not need administrative access.

  • Victim interactionNot required

    No victim action is needed; the attacker interacts directly with the API without requiring any other user to click a link or perform an action.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and requires no special environmental conditions, race conditions, or memory layout knowledge.

Blast Radius

  • Attacker reads artifact files (binaries, test results, secrets embedded in build outputs) stored in repositories they have no authorization to access.
  • Attacker writes forged upload-state records across task boundaries, corrupting artifact metadata and potentially substituting malicious build outputs for legitimate ones.
  • The scope change (S:C in the CVSS vector) means impact extends beyond the attacker's own repository context to other repositories and tasks hosted on the same Gitea instance.

How HarborGuard Handles This

Available on HarborGuard: this CVE is tracked continuously against all images running Gitea 1.26.1 or earlier across customer environments. Because no upstream fix has been published, HarborGuard monitors the Gitea advisory on every ingest cycle and will automatically trigger a patched-image rebuild for customers with auto-remediation enabled as soon as Gitea ships a fix. In the interim, compensating controls worth evaluating include network-policy isolation that restricts access to the Gitea Actions Artifacts API to known CI runner IP ranges, egress filtering on Gitea runner nodes to limit lateral movement, and disabling the V4 Artifacts feature flag if your Gitea build supports toggling it without breaking required workflows. Manual review of artifact access logs for cross-repository URL patterns is advisable given the Critical severity and zero-interaction exploitation path.

See how HarborGuard automates this
Affected packages
  • Gitea / Gitea Open Source Git Server
    ≤ 1.26.1
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N