CVE-2026-26292 PUBLISHED

Gitea LFS mirror synchronization bypasses migration HTTP transport restrictions

Assigner: Gitea
Reserved: 22.02.2026 Published: 03.07.2026 Updated: 03.07.2026

Gitea versions before 1.25.5 do not use the migration HTTP transport for LFS push and sync mirror operations, bypassing the configured migration transport protections for those LFS requests.

Product Status

Vendor Gitea
Product Gitea Open Source Git Server
Versions Default: unaffected
  • affected from 0 to 1.25.5 (excl.)

Credits

  • allsmog reporter

References

Problem Types

  • CWE-284 CWE