Description
Gitea versions before 1.25.5 do not persist the OAuth2 PKCE S256 challenge method correctly during authorization, allowing token exchange without the expected verifier check.
Published:
2026-07-03
Score:
n/a
EPSS:
n/a
KEV:
No
Impact:
n/a
Action:
n/a
Analysis and contextual insights are available on OpenCVE Cloud.
Remediation
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
Advisories
No advisories yet.
References
History
Fri, 03 Jul 2026 20:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Gitea versions before 1.25.5 do not persist the OAuth2 PKCE S256 challenge method correctly during authorization, allowing token exchange without the expected verifier check. | |
| Title | Gitea OAuth2 PKCE S256 challenges are not enforced during token exchange | |
| Weaknesses | CWE-284 | |
| References |
|
Subscriptions
No data.
Status: PUBLISHED
Assigner: Gitea
Published:
Updated: 2026-07-03T20:19:34.820Z
Reserved: 2026-03-03T03:25:28.654Z
Link: CVE-2026-26247
No data.
No data.
No data.
OpenCVE Enrichment
No data.
Weaknesses