gitea

v1.26.2 Security

This release includes 12 security fixes for security teams reviewing exposed deployments.

Published 14d Git Forges

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 12 known CVEs

Topics

bitbucket ci-cd devops docker-registry-v2 git git-gui

+11 more

git-lfs git-server gitea github gitlab go maven-server npm-registry self-hosted typescript vue

Affected surfaces

auth rbac deps

Summary

AI summary

Security fixes across OAuth, actions, git and web handling plus bugfixes in pull requests, markup rendering, packages and workflow APIs.

Changes in this release

Type	Severity	Summary	CVE
Security
Security	Medium	Fix reading permission vulnerability (#37769) Fix reading permission vulnerability (#37769) Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high	—
Security	Medium	Make artifact signature payloads unambiguous (#37707) Make artifact signature payloads unambiguous (#37707) Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high	—
Security	Medium	Unify public-only token filtering in API queries and repo access checks (#37118) Unify public-only token filtering in API queries and repo access checks (#37118) Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high	—
Security	Medium	Add missed token scope checking (#37735) Add missed token scope checking (#37735) Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high	—
Security	Medium	Bind token exchanges to the original client request (#37704) Bind token exchanges to the original client request (#37704) Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high	—
Security	Medium	Strengthen PKCE validation and refresh token replay protection (#37706) Strengthen PKCE validation and refresh token replay protection (#37706) Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high	—
Security	Medium	Enforce token scopes on raw, media, and attachment downloads (#37698) Enforce token scopes on raw, media, and attachment downloads (#37698) Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high	—
Security	Medium	Enforce wiki git writes and LFS token access at request time (#37695) Enforce wiki git writes and LFS token access at request time (#37695) Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high	—
Feature	Medium	Encrypt AWS credentials in API (#37679) Encrypt AWS credentials in API (#37679) Source: granite4.1:8b-q6_K@2026-05-20 Confidence: low	—
Feature	Medium	Add DEFAULT_TITLE_SOURCE setting for pull request title behavior (#37465) Add DEFAULT_TITLE_SOURCE setting for pull request title behavior (#37465) Source: granite4.1:8b-q6_K@2026-05-20 Confidence: low	—
Dependency	Medium	Update mermaid dependency to v11.15.0 (security) with e2e test (#37707) Update mermaid dependency to v11.15.0 (security) with e2e test (#37707) Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high	—
Dependency	Medium	Bump go-git/go-git/v5 to 5.19.0 (#37608) Bump go-git/go-git/v5 to 5.19.0 (#37608) Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high	—
Bugfix
Bugfix	Medium	Fix smart http request scope bug in git (#37583) Fix smart http request scope bug in git (#37583) Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high	—
Bugfix	Medium	Fix URL sanitization to handle schemeless credentials (#37440) (#37471) Fix URL sanitization to handle schemeless credentials (#37440) (#37471) Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high	—
Bugfix	Medium	Resolve package creation unique conflict (#37774) Resolve package creation unique conflict (#37774) Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high	—
Bugfix	Medium	Allow direct commits for unprotected files with push restrictions (#37657) Allow direct commits for unprotected files with push restrictions (#37657) Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high	—
Bugfix	Medium	Resolve deadlock between PrepareRunAndInsert and UpdateTaskByState in actions (#37692) Resolve deadlock between PrepareRunAndInsert and UpdateTaskByState in actions (#37692) Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high	—
Bugfix	Medium	Fix basic auth bug (#37503) Fix basic auth bug (#37503) Source: granite4.1:8b-q6_K@2026-05-20 Confidence: low	—
Bugfix	Medium	Correct assumption about run ID vs job ID in actions (#37737) Correct assumption about run ID vs job ID in actions (#37737) Source: granite4.1:8b-q6_K@2026-05-20 Confidence: low	—
Bugfix	Medium	Run TransferLogs on UpdateLog{Rows:[], NoMore:true} in actions (#37631) Run TransferLogs on UpdateLog{Rows:[], NoMore:true} in actions (#37631) Source: granite4.1:8b-q6_K@2026-05-20 Confidence: low	—
Bugfix	Medium	Add label for private and internal package and fix composer source permission check (#37610) Add label for private and internal package and fix composer source permission check (#37610) Source: granite4.1:8b-q6_K@2026-05-20 Confidence: low	—
Bugfix	Medium	Fix allow maintainer edit permission check (#37479) (#37484) Fix allow maintainer edit permission check (#37479) (#37484) Source: granite4.1:8b-q6_K@2026-05-20 Confidence: low	—
Bugfix	Medium	Fix attachment Content-Security-Policy (#37455) (#37464) Fix attachment Content-Security-Policy (#37455) (#37464) Source: granite4.1:8b-q6_K@2026-05-20 Confidence: low	—
Bugfix	Medium	Handle empty pull request files view for reviews (#37783) Handle empty pull request files view for reviews (#37783) Source: granite4.1:8b-q6_K@2026-05-20 Confidence: low	—
Bugfix	Medium	Ensure RenderString never fails in markup (#37779) Ensure RenderString never fails in markup (#37779) Source: granite4.1:8b-q6_K@2026-05-20 Confidence: low	—
Bugfix	Medium	Add natural sort to sortTreeViewNodes (#37772) Add natural sort to sortTreeViewNodes (#37772) Source: granite4.1:8b-q6_K@2026-05-20 Confidence: low	—
Bugfix	Medium	Set User-Agent on avatar fetch and sync on link-account register (#37564) (#37588) Set User-Agent on avatar fetch and sync on link-account register (#37564) (#37588) Source: granite4.1:8b-q6_K@2026-05-20 Confidence: low	—
Bugfix	Medium	Ensure /generate syncs branch table for new repo (#37693) Ensure /generate syncs branch table for new repo (#37693) Source: granite4.1:8b-q6_K@2026-05-20 Confidence: low	—
Bugfix	Medium	Show correct merge base for commits Show correct merge base for commits Source: granite4.1:8b-q6_K@2026-05-20 Confidence: low	—
Bugfix	Medium	Run TransferLogs when UpdateLog reports no more rows (#37631) Run TransferLogs when UpdateLog reports no more rows (#37631) Source: granite4.1:30b@2026-05-20-audit Confidence: low	—
Bugfix	Low	Resolve basic authentication vulnerability (#37503) Resolve basic authentication vulnerability (#37503) Source: granite4.1:30b@2026-05-20-audit Confidence: low	—
Bugfix	Low	Fix wrong assumption that run ID always ≥ job ID in actions (#37737) Fix wrong assumption that run ID always ≥ job ID in actions (#37737) Source: granite4.1:30b@2026-05-20-audit Confidence: low	—
Other	Medium	Fix snap build (1.26) Fix snap build (1.26) Source: granite4.1:8b-q6_K@2026-05-20 Confidence: low	—

Full changelog

SECURITY
- fix(permissions): Fix reading permission (#37769)
- fix(actions): make artifact signature payloads unambiguous (#37707)
- fix: Unify public-only token filtering in API queries and repo access checks (#37118)
- fix: Add missed token scope checking (#37735)
- fix(oauth): bind token exchanges to the original client request (#37704)
- fix(oauth): strengthen PKCE validation and refresh token replay protection (#37706)
- fix(web): enforce token scopes on raw, media, and attachment downloads (#37698)
- fix(security): enforce wiki git writes and LFS token access at request time (#37695)
- feat(api): encrypt AWS creds (#37679)
- fix(deps): update dependency mermaid to v11.15.0 [security], add e2e test
- fix(packages): Add label for private and internal package and fix composor package source permission check (#37610)
- fix(git): Fix smart http request scope bug (#37583)
- Fix basic auth bug (#37503)
- Fix allow maintainer edit permission check (#37479) (#37484)
- Fix URL sanitization to handle schemeless credentials (#37440) (#37471)
- Fix attachment Content-Security-Policy (#37455) (#37464)
- chore(deps): bump go-git/go-git/v5 to 5.19.0 (#37608)
BUGFIXES
- fix(pull): handle empty pull request files view to allow reviews (#37783)
- fix(markup): make RenderString never fail (#37779)
- fix: add natural sort to sortTreeViewNodes (#37772)
- fix: package creation unique conflict (#37774)
- fix!: add DEFAULT_TITLE_SOURCE setting for pull request title default behavior (#37465)
- fix: Allow direct commits for unprotected files with push restrictions (#37657)
- fix(actions): wrong assumption that run id always >= job id (#37737)
- fix(auth): set User-Agent on avatar fetch and sync avatar on link-account register (#37564) (#37588)
- fix(actions): deadlock between PrepareRunAndInsert and UpdateTaskByState (#37692)
- fix(repo): /generate must sync the branch table for the new repo (#37693)
- build: Fix snap build (1.26)
- fix(actions): run TransferLogs on UpdateLog{Rows:[], NoMore:true} (#37631)
- fix show correct mergebase
- fix: make clone URL respect public URL detection setting (#37615)
- fix: "run as root" check (#37622)
- chore(deps): update dependency go to v1.26.3 (#37601)
- Compare dropdown fails when selecting branch with no common merge-base (#37470)
- fix: treat email addresses case-insensitively (#37600)
- fix(actions): fix blank lines after ::endgroup:: (#37597)
- fix(actions): report individual step status in workflow job API response (#37592)
- fix: Invalid UTF-8 commit messages in JSON API responses (#37542)
- fix: use consistent GetUser family functions (#37553)
- fix(api): return 409 message instead of empty JSON for wrong commit id (#37572)
- fix(actions): prevent panic when workflow contains null jobs (#37570)
- Make ServeSetHeaders default to download attachment if filename exists (#37552) (#37555)
- Fix(actions): validate workflow param to prevent 500 error (#37546) (#37554)
- Don't unblock run-level-concurrency-blocked runs in the resolver (#37461) (#37538)
- Fix(packages): use file names for generic web downloads (#37514) (#37520)
- Fix merge autodetect can't close other PRs but only the last one when multiple PRs are pushed at once (#37512) (#37516)
- Fix update branch protection order (#37508) (#37513)
- Fix mCaptcha broken after Vite migration (#37492) (#37509)
- Fix review submission from single-commit PR view (#37475) (#37485)
- Fix scheduled action panic with null event payload (#37459) (#37466)
- Make GetPossibleUserByID can handle deleted user (#37430) (#37431)
- Remove excessive quote from terraform instructions (#37424) (#37426)
- Fix color regressions, add priority color (#37417) (#37421)
MISC
- Add CurrentURL template variable back (#37444) (#37449)

Instances on Gitea Cloud will be automatically upgraded to this version during the specified maintenance window.

Security Fixes

Fix(permissions): Correct reading permission handling (#37769)
Fix(actions): Make artifact signature payloads unambiguous (#37707)
Unify public‑only token filtering in API queries and repo access checks (#37118)
Add missed token scope checking (#37735)
Bind OAuth token exchanges to original client request (#37704)
Strengthen PKCE validation and refresh token replay protection (#37706)
Enforce token scopes on raw, media, and attachment downloads (#37698)
Enforce wiki git writes and LFS token access at request time (#37695)
Update dependency mermaid to v11.15.0 for security fixes
Fix private/internal package label handling and composor source permission check (#37610)
Fix smart http request scope bug in git operations (#37583)
Fix basic auth, maintainer edit permission checks, URL sanitization, attachment CSP, and various other web security issues

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track gitea

Get notified when new releases ship.

About gitea

Git with a cup of tea! Painless self-hosted all-in-one software development service, including Git hosting, code review, team collaboration, package registry and CI/CD

All releases →

gitea

Summary

Changes in this release

Security Fixes

Related context

Related tools