Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.6
CVE-2026-58426: Gitea Actions Signed URLs May Reveal or Alter Artifacts
CVE-2026-58426
CVE-2026-58426
Summary
Gitea Action artifacts may be exposed or altered due to a weakness in how they are signed. This could allow unauthorized access to sensitive data or tampering with project files. Update Gitea to the latest version to address this issue.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions |
|---|---|---|
| gitea | gitea open source git server | <= 1.26.1 |
Original title
Gitea Actions Artifacts V4 signed URL HMAC ambiguity allows cross-repository artifact read and cross-task upload-state write
Original description
Gitea Actions Artifacts V4 signed URL HMAC ambiguity allows cross-repository artifact read and cross-task upload-state write
mitre CVSS3.1
9.6
Vulnerability type
CWE-347
Improper Verification of Cryptographic Signature
- https://github.com/go-gitea/gitea/security/advisories/GHSA-hg5r-vq93-9fv6 vendor-advisory
- https://github.com/go-gitea/gitea/pull/37707 patch
- https://github.com/go-gitea/gitea/releases/tag/v1.26.2 release-notes
- https://blog.gitea.com/release-of-1.26.2/ release-notes
Published: 3 Jul 2026 · Updated: 5 Jul 2026 · First seen: 3 Jul 2026