CVE-2026-26247 PUBLISHED

Gitea OAuth2 PKCE S256 challenges are not enforced during token exchange

Assigner: Gitea
Reserved: 03.03.2026 Published: 03.07.2026 Updated: 03.07.2026

Gitea versions before 1.25.5 do not persist the OAuth2 PKCE S256 challenge method correctly during authorization, allowing token exchange without the expected verifier check.

Product Status

Vendor Gitea
Product Gitea Open Source Git Server
Versions Default: unaffected
  • affected from 0 to 1.25.5 (excl.)

Credits

  • Aisle Research reporter

References

Problem Types

  • CWE-284 CWE