Gitea versions before 1.25.5 do not persist the OAuth2 PKCE S256 challenge method correctly during authorization, allowing token exchange without the expected verifier check.
References
Configurations
No configuration.
History
07 Jul 2026, 18:16
| Type | Values Removed | Values Added |
|---|---|---|
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 9.1 |
03 Jul 2026, 21:16
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-07-03 21:16
Updated : 2026-07-07 18:16
NVD link : CVE-2026-26247
Mitre link : CVE-2026-26247
CVE.ORG link : CVE-2026-26247
JSON object : View
Products Affected
No product.
CWE
CWE-284
Improper Access Control
