Gitea disclosed two severe vulnerabilities affecting repository automation and artifact handling. CVE-2026-58424 is a remotely exploitable authorization flaw with a CVSS score of 8.9 that can bypass permanent fork pull-request workflow approval gates, undermining branch protection and merge controls. The issue is tied to permission weaknesses including CWE-285, CWE-732, and CWE-863, and fixes are referenced in Gitea releases 1.26.3 and 1.26.4. Administrators are advised to harden pull-request workflow approvals, enforce strict branch protections, and review workflow logs for signs of bypass attempts.
Gitea also addressed CVE-2026-58426, a critical signed-URL validation flaw in Gitea Actions Artifacts V4 with a CVSS score of 9.6. The CWE-347 weakness stems from HMAC ambiguity and can allow cross-repository artifact reads and cross-task upload-state writes, creating a path for unauthorized access to build artifacts and tampering with task state. The recommended response is to upgrade to a fixed Gitea release, cited as 1.26.2, and audit artifact access controls and upload-state integrity. Separately, Canada’s Centre for Cyber Security issued an advisory urging OpenSSH users to upgrade versions prior to 10.4, but that notice appears unrelated to the Gitea flaws.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
3 events from the most recent confirmed update back to the earliest known activity.
OpenSSH published a security advisory addressing vulnerabilities in versions prior to 10.4. The Canadian Centre for Cyber Security notice urges users and administrators to review the release notes and upgrade to version 10.4 or later.
Two Gitea vulnerabilities were published: CVE-2026-58424, a workflow approval gate bypass, and CVE-2026-58426, an HMAC ambiguity flaw affecting Actions artifact signed URLs. The references indicate fixes are tied to Gitea release information, including versions 1.26.2, 1.26.3, and 1.26.4.
Gitea announced the release of versions 1.26.3 and 1.26.4 in a blog post. These releases are later referenced as containing fixes related to CVE-2026-58424 and CVE-2026-58426.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
4 references tracked. Mallory keeps watching after this page renders.
cyber.gc.ca
Open sourcecvefeed.io
Open sourcecvefeed.io
Open sourceblog.gitea.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.