{"id":9086,"date":"2026-07-03T22:37:55","date_gmt":"2026-07-03T22:37:55","guid":{"rendered":"https:\/\/locaterisk.com\/de\/?p=9086"},"modified":"2026-07-03T22:37:55","modified_gmt":"2026-07-03T22:37:55","slug":"cve-2026-58426-gitea-actions-vulnerability","status":"publish","type":"post","link":"https:\/\/locaterisk.com\/en\/cve-2026-58426-gitea-actions-vulnerability\/","title":{"rendered":"CVE-2026-58426: Critical Vulnerability in Gitea Actions Allows Unauthorized Data Access"},"content":{"rendered":"<div class=\"wp-block-lr-blog-article-header-module\">\r\n    <div class=\"content\">\r\n\t\t<div class=\"headline\">\r\n\t\t\t<button class=\"to-blog-button\">Back to Blog                <a href=\"https:\/\/locaterisk.com\/en\/blog\/\"><\/a>\r\n\t\t\t<\/button>\r\n\t\t\t\t\t<\/div>\r\n        <div class=\"main-content\">\r\n\t\t\t\t\t\t<!--\r\n            <div class=\"header\">\r\n                <h6> <\/h6>\r\n            <\/div>\r\n\t\t\t\t\t\t-->\r\n            <h1 class=\"title\">CVE-2026-58426: Critical Vulnerability in Gitea Actions Allows Unauthorized Data Access<\/h1>\r\n            <p class=\"paragraph\"><br><span class=\"lr-ai-disclosure\" style=\"display:block;margin:8px 0 28px;font-size:14px;line-height:1.4;color:#8b93a7;font-family:inherit;font-style:italic;\">This text was generated using artificial intelligence (AI).<\/span>On the widely used, self-hosted Git platform <strong>Gitea<\/strong> A critical security vulnerability with a CVSS score of <strong>9.6<\/strong> (Critically) disclosed. The vulnerability, according to the security advisory <a href=\"https:\/\/github.com\/go-gitea\/gitea\/security\/advisories\/GHSA-hg5r-vq93-9fv6\" target=\"_blank\" rel=\"noreferrer noopener\">GHSA-hg5r-vq93-9fv6<\/a> as <strong>CVE-2026-58426<\/strong> This vulnerability affects the Gitea Actions feature. It allows authenticated attackers with low privileges to bypass security boundaries between different projects in order to access sensitive build artifacts and manipulate their upload status. A security update to address the issue is available.<\/p>\r\n        <\/div>\r\n    <\/div>\r\n<\/div>\r\n\r\n\r\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"400\" height=\"400\" src=\"https:\/\/locaterisk.com\/wp-content\/uploads\/2026\/07\/cve-2026-58426-featured.png\" alt=\"CVE-2026-58426: Kritische Schwachstelle in Gitea Actions erm\u00f6glicht Datenzugriff\" class=\"wp-image-9085\" srcset=\"https:\/\/locaterisk.com\/wp-content\/uploads\/2026\/07\/cve-2026-58426-featured.png 400w, https:\/\/locaterisk.com\/wp-content\/uploads\/2026\/07\/cve-2026-58426-featured-300x300.png 300w, https:\/\/locaterisk.com\/wp-content\/uploads\/2026\/07\/cve-2026-58426-featured-150x150.png 150w, https:\/\/locaterisk.com\/wp-content\/uploads\/2026\/07\/cve-2026-58426-featured-12x12.png 12w\" sizes=\"auto, (max-width: 400px) 100vw, 400px\" \/><\/figure><\/div>\n\n\n<p><strong>The Facts at a Glance:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>CVE ID:<\/strong> CVE-2026-58426 (Advisory: <a href=\"https:\/\/github.com\/go-gitea\/gitea\/security\/advisories\/GHSA-hg5r-vq93-9fv6\" target=\"_blank\" rel=\"noreferrer noopener\">GHSA-hg5r-vq93-9fv6<\/a>)<\/li>\n\n\n\n<li><strong>CVSS Score:<\/strong> 9.6 (Critical)<\/li>\n\n\n\n<li><strong>Affected component:<\/strong> Gitea instances with Actions enabled<\/li>\n\n\n\n<li><strong>Effect:<\/strong> Unauthorized read access to build artifacts and write access to the upload status across repository boundaries.<\/li>\n\n\n\n<li><strong>Solution:<\/strong> Upgrade to <strong>Gitea Version 1.26.4<\/strong> or the latest stable version (Note: Version 1.26.2 contains a known regression; Gitea recommends updating directly to 1.26.4).<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Technical Analysis of CVE-2026-58426<\/strong><\/h2>\n\n\n\n<p>The cause of the vulnerability lies in an ambiguity in the cryptographic verification of HMAC signatures used for signed URLs in the Gitea Actions Artifacts V4 API. An attacker who already has low-privileged access to the Gitea instance can send specially crafted requests to the API. Due to the faulty signature verification, the system incorrectly interprets these requests as legitimate.<\/p>\n\n\n\n<p>The CVSS score <strong>CVSS:3.1\/AV:N\/AC:L\/PR:L\/UI:N\/S:C\/C:H\/I:H\/A:N<\/strong> illustrates the potential threat:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>AV:N (Network):<\/strong> The attack can be carried out remotely over the network.<\/li>\n\n\n\n<li><strong>AC:L (Low):<\/strong> Carrying out the attack does not require a high degree of complexity.<\/li>\n\n\n\n<li><strong>PR:L (Low):<\/strong> An attacker only needs an account with low privileges.<\/li>\n\n\n\n<li><strong>C:H (High Confidentiality) &amp; I:H (High Integrity):<\/strong> The impact on data confidentiality and integrity is significant.<\/li>\n<\/ul>\n\n\n\n<p>The fix was implemented in pull request #37707, which modifies the structure of the signature payload to ensure unique validation.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Business Risks Posed by Compromised CI\/CD Pipelines<\/strong><\/h2>\n\n\n\n<p>This vulnerability poses a significant risk to companies that use a central Gitea instance for multiple development teams or projects. Build artifacts are a key component of CI\/CD processes and often contain sensitive information such as:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Compiled application binaries and libraries<\/li>\n\n\n\n<li>Configuration files containing login credentials for databases or cloud services<\/li>\n\n\n\n<li>Private API Keys and Tokens<\/li>\n\n\n\n<li>Intellectual property in the form of source code or proprietary assets<\/li>\n<\/ul>\n\n\n\n<p>By taking advantage of <strong>CVE-2026-58426<\/strong> An attacker with access to a non-critical repository can breach logical isolation and gain access to artifacts from highly secure production pipelines. This can lead to the theft of trade secrets, the compromise of production environments, or the manipulation of the software supply chain.<\/p>\n\n\n\n<p>CVE-2026-58426 is not the first critical security vulnerability found in Gitea: As recently as May 2026, CVE-2026-27771 (CVSS 8.2), a vulnerability was patched that allowed unauthenticated attackers to retrieve private container images from an estimated 30,000+ affected deployments worldwide. This spate of critical vulnerabilities underscores the need for systematic vendor risk management. (Source: SecurityWeek, TheHackerNews, May 2026 \u2014 https:\/\/www.securityweek.com\/gitea-vulnerability-exposed-30000-deployments-to-attacks\/)<\/p>\n\n\n\n<p>According to security researchers, Germany is among the countries with the highest density of exposed Gitea instances. Organizations subject to NIS-2 or the GDPR should treat compromised build artifacts as a potential data breach and, if necessary, consider filing a report in accordance with GDPR Article 33 within 72 hours. Operators of critical infrastructure are also subject to the reporting requirements under the BSI Act.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Recommended countermeasures<\/strong><\/h2>\n\n\n\n<p>Administrators of Gitea instances should take immediate action to secure their systems.<\/p>\n\n\n\n<p><strong>Immediate action:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Upgrade to <strong>Gitea Version 1.26.4<\/strong> or the latest stable version. The original security patch was released on May 20, 2026, as version 1.26.2; however, since 1.26.2 contains a known regression, Gitea recommends updating directly to 1.26.4.<\/li>\n<\/ul>\n\n\n\n<p><strong>Long-Term Strategy:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Set up continuous vulnerability monitoring for your entire IT infrastructure so you can be notified promptly of new security vulnerabilities.<\/li>\n\n\n\n<li>Implement a vendor risk management system to systematically assess and monitor the security of third-party products in use.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Visibility and Control with LocateRisk<\/strong><\/h2>\n\n\n\n<p>Self-hosted systems such as Gitea are an important part of the development infrastructure, but without continuous monitoring, they can become an uncontrolled risk. Given the growing number of critical vulnerabilities in widely used open-source platforms, the systematic identification and continuous assessment of such systems is crucial.<\/p>\n\n\n\n<p>The LocateRisk platform supports companies in this regard on two levels:<\/p>\n\n\n\n<ol class=\"wp-block-list has-text-color\" style=\"color:#ffffff\">\n<li><strong>External Attack Surface Management (EASM):<\/strong> Our solution continuously identifies all publicly accessible systems in your organization, including self-hosted Gitea instances, forgotten subdomains, and unmanaged cloud assets. This gives you visibility into your actual attack surface and allows you to quickly determine whether and where you are affected by vulnerabilities such as CVE-2026-58426\u2014even if systems are not centrally inventoried.<\/li>\n\n\n\n<li><strong>Continuous Vendor Risk Management (C-VRM):<\/strong> The security of your software supply chain depends on the security of your vendors. The recurring vulnerabilities in Gitea highlight why a one-time assessment is not enough. LocateRisk continuously assesses the security level of your service providers and software vendors and proactively notifies you of new risks.<\/li>\n<\/ol>\n\n\n\n<p>As a German provider offering hosting in ISO 27001-certified data centers in Germany, LocateRisk helps companies comply with GDPR requirements and reduces the risk of data access by U.S. authorities.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Sources and further information<\/strong><\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Gitea Security Advisory:<\/strong> <a href=\"https:\/\/github.com\/go-gitea\/gitea\/security\/advisories\/GHSA-hg5r-vq93-9fv6\" target=\"_blank\" rel=\"noreferrer noopener\">GHSA-hg5r-vq93-9fv6<\/a><\/li>\n\n\n\n<li><strong>Gitea Blog Post (Release 1.26.2):<\/strong> <a href=\"https:\/\/blog.gitea.com\/release-of-1.26.2\/\" target=\"_blank\" rel=\"noreferrer noopener\">blog.gitea.com<\/a><\/li>\n\n\n\n<li><strong>GitHub Pull Request (Fix):<\/strong> <a href=\"https:\/\/github.com\/go-gitea\/gitea\/pull\/37707\" target=\"_blank\" rel=\"noreferrer noopener\">#37707<\/a><\/li>\n\n\n\n<li><strong>Gitea Release Notes:<\/strong> <a href=\"https:\/\/github.com\/go-gitea\/gitea\/releases\/tag\/v1.26.2\" target=\"_blank\" rel=\"noreferrer noopener\">v1.26.2<\/a><\/li>\n\n\n\n<li><strong>Vendor History (CVE-2026-27771):<\/strong> SecurityWeek, May 2026 \u2014 <a href=\"https:\/\/www.securityweek.com\/gitea-vulnerability-exposed-30000-deployments-to-attacks\/\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/www.securityweek.com\/gitea-vulnerability-exposed-30000-deployments-to-attacks\/<\/a><\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Do you know your external attack surface?<\/strong><\/h2>\n\n\n\n<p>Continuous monitoring of your external IT systems is the foundation of a resilient security strategy. LocateRisk identifies and assesses security risks in your attack surface before they can be exploited.<\/p>\n\n\n\n<p><a href=\"https:\/\/locaterisk.com\/en\/demo\/\" target=\"_blank\" rel=\"noreferrer noopener\">Request a free safety check<\/a><\/p>\n\n\n\n<div class=\"wp-block-lr-faq-module\"><div class=\"content\"><h3><strong>Frequently asked questions<\/strong><\/h3><div class=\"faq-topic\"><hr\/><div class=\"collapsible-title\"><a class=\"pr-4\"><strong>What is CVE-2026-58426, and what vulnerability does it describe?<\/strong><\/a><img class=\"collapse-toggle\" srcset=\"https:\/\/locaterisk.com\/wp-content\/plugins\/locate-risk-prod\/lr-blocks\/faq-module\/img\/ic-plus@3x.png 3x,https:\/\/locaterisk.com\/wp-content\/plugins\/locate-risk-prod\/lr-blocks\/faq-module\/img\/ic-plus@2x.png 2x,https:\/\/locaterisk.com\/wp-content\/plugins\/locate-risk-prod\/lr-blocks\/faq-module\/img\/ic-plus.png 1x\"\/><\/div><div class=\"collapsible-content\"><p class=\"font-normal\">CVE-2026-58426 refers to a critical vulnerability (CVSS 9.6) in the Gitea Actions Artifacts V4 API. The vulnerability stems from an ambiguity in the HMAC signature verification of signed URLs, which allows a low-privileged attacker to access build artifacts from other projects across repository boundaries and manipulate their upload status. The associated security advisory is listed under the identifier GHSA-hg5r-vq93-9fv6.<\/p><\/div><\/div><div class=\"faq-topic\"><hr\/><div class=\"collapsible-title\"><a class=\"pr-4\"><strong>Which versions of Gitea are affected, and how can I protect my instance?<\/strong><\/a><img class=\"collapse-toggle\" srcset=\"https:\/\/locaterisk.com\/wp-content\/plugins\/locate-risk-prod\/lr-blocks\/faq-module\/img\/ic-plus@3x.png 3x,https:\/\/locaterisk.com\/wp-content\/plugins\/locate-risk-prod\/lr-blocks\/faq-module\/img\/ic-plus@2x.png 2x,https:\/\/locaterisk.com\/wp-content\/plugins\/locate-risk-prod\/lr-blocks\/faq-module\/img\/ic-plus.png 1x\"\/><\/div><div class=\"collapsible-content\"><p class=\"font-normal\">This affects Gitea instances with the Actions feature enabled that have not yet been updated to the latest patch. The fix was implemented in version 1.26.2 (released on May 20, 2026, Pull Request #37707). Since version 1.26.2 contains a known regression, Gitea recommends updating directly to <strong>Version 1.26.4<\/strong> or the latest stable version of the 1.26.x branch.<\/p><\/div><\/div><div class=\"faq-topic\"><hr\/><div class=\"collapsible-title\"><a class=\"pr-4\"><strong>Is there any evidence of active exploitation of CVE-2026-58426?<\/strong><\/a><img class=\"collapse-toggle\" srcset=\"https:\/\/locaterisk.com\/wp-content\/plugins\/locate-risk-prod\/lr-blocks\/faq-module\/img\/ic-plus@3x.png 3x,https:\/\/locaterisk.com\/wp-content\/plugins\/locate-risk-prod\/lr-blocks\/faq-module\/img\/ic-plus@2x.png 2x,https:\/\/locaterisk.com\/wp-content\/plugins\/locate-risk-prod\/lr-blocks\/faq-module\/img\/ic-plus.png 1x\"\/><\/div><div class=\"collapsible-content\"><p class=\"font-normal\">According to security advisory GHSA-hg5r-vq93-9fv6, as of the date of disclosure (July 3, 2026), there are no confirmed reports of active exploitation of the vulnerability in the wild. However, since the attack requires only a low-privileged account and can be carried out over the network without user interaction, the update should still be installed immediately.<\/p><\/div><\/div><\/div><\/div>\n\n\n\n<div class=\"wp-block-lr-contact-post-module\">\n\t<div id=\"lr-contact-form\" class=\"wp-block-lr-contact-post-module\">\n\t\t<div id=\"formular\" class=\"content\">\n\t\t\t<div class=\"inner-content\">\n\t\t\t\t<div class=\"column-2 feature-mode\">\n\t\t\t\t\t<h2><br>Request your personal Live-Demo now<\/h2>\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\t\t\t<div>\n\t\t\t\t\t\t\t\t<p class=\"margin-b-36\">Identify and reduce your cyber risks through a comparable and understandable overview of your IT security. Let our experts advise you and find out how LocateRisk can help you solve your cyber risks.<\/p>\n\t\t\t\t\t\t\t<\/div>\t\n\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t<\/div> \n\t\t\t\t<div class=\"column-2\">\n\t\t\t\t\t<form action=\"\" class=\"form\" method=\"post\" role=\"form\" novalidate data-trp-original-action=\"\">\n\t\t\t\t\t\t<input type=\"text\" id=\"successmessage\" name=\"successmessage\" value=\"Ihre Registrierung war erfolgreich Ihre Anfrage wurde erfolgreich versendet. Wir haben Ihnen soeben eine Best\u00e4tigungsmail mit einem Aktivierungs-Link zugesendet, um einem Missbrauch Ihrer E-Mail Adresse durch Dritte vorzubeugen. Die Mail wird von sales@locaterisk.com versendet und sollte sich i n wenigen Minuten in Ihrem Posteingang finden.\" hidden>\n\t\t\t\t\t\t<input type=\"text\" id=\"errormessage\" name=\"errormessage\" value=\"Da ist wohl etwas schief gelaufen. Bitte probieren Sie es erneut oder nehmen Sie direkt mit uns Kontakt auf\" hidden>\n\t\t\t\t\t\t<input type=\"text\" id=\"slug\" name=\"slug\" value=\"cve-2026-58426-gitea-actions-vulnerability\" hidden>\n\n\t\t\t\t\t\t\t\t\t\t\t\t\t<input\n\t\t\t\t\t\t\t\ttype=\"text\"\n\t\t\t\t\t\t\t\tid=\"name\"\n\t\t\t\t\t\t\t\tname=\"name\"\n\t\t\t\t\t\t\t\tplaceholder=\"first name\"\n\t\t\t\t\t\t\t\trequired\tmaxlength=\"50\"\/>\n\n\t\t\t\t\t\t\t<input\n\t\t\t\t\t\t\t\ttype=\"text\"\n\t\t\t\t\t\t\t\tid=\"surname\"\n\t\t\t\t\t\t\t\tname=\"surname\"\n\t\t\t\t\t\t\t\tplaceholder=\"last name\"\n\t\t\t\t\t\t\t\trequired\n\t\t\t\t\t\t\t\tmaxlength=\"50\"\/>\n\t\t\t\t\t\t\n\t\t\t\t\t\t<input\n\t\t\t\t\t\t\ttype=\"email\"\n\t\t\t\t\t\t\tid=\"email\"\n\t\t\t\t\t\t\tname=\"email\"\n\t\t\t\t\t\t\tplaceholder=\"Email\"\n\t\t\t\t\t\t\trequired\n\t\t\t\t\t\t\tmaxlength=\"50\"\/>\n\n\t\t\t\t\t\t<input\n\t\t\t\t\t\t\ttype=\"text\"\n\t\t\t\t\t\t\tid=\"phone\"\n\t\t\t\t\t\t\tname=\"phone\"\n\t\t\t\t\t\t\tplaceholder=\"phone\"\n\t\t\t\t\t\t\trequired\n\t\t\t\t\t\t\tmaxlength=\"50\"\/>\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t<h6 class=\"error-message\" hidden>...<\/h6>\n\t\t\t\t\t\t<div class=\"checkbox_container\">\n\t\t\t\t\t\t\t<div class=\"checkbox\">\n\t\t\t\t\t\t\t\t<input\n\t\t\t\t\t\t\t\t\ttype=\"checkbox\"\n\t\t\t\t\t\t\t\t\tid=\"checkbox\"\n\t\t\t\t\t\t\t\t\tname=\"checkbox\" \/>\n\n\t\t\t\t\t\t\t\t<label for=\"checkbox\"><\/label>\n\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t<p class=\"translation-block\">I agree with the <a href=\"https:\/\/locaterisk.com\/en\/datenschutz\/\" target=\"_self\">privacy policy<\/a>.<\/p> \n\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\n\t\t\t\t\t<div class=\"g-recaptcha\" data-sitekey=\"6LdErNoZAAAAAD1Re2jNxtDFfcDaL9iED5MRBzjR\" data-callback=\"verifyRecaptchaCallback\" data-expired-callback=\"expiredRecaptchaCallback\"><\/div>\n\t\t\t\t\t<input type=\"hidden\" name=\"g-recaptcha-response\" data-recaptcha \/>\n\n\t\t\t\t\t\t<button class=\"lr-button-link\" type=\"submit\"> Request a Demo<\/button>\n\t\t\t\t\t<input type=\"hidden\" name=\"trp-form-language\" value=\"en\"\/><\/form>\n\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/div>\n\t<\/div>\n\t\n\t<\/div>\n\n\n\n<hr class=\"wp-block-separator has-css-opacity is-style-wide\"\/>\n\n\n\n<div class=\"wp-block-lr-contact-module\"><div class=\"content\"><h2>Want to find out more, book a demo or simply exchange ideas? We look forward to hearing from you!<\/h2><div class=\"contact-info-row\"><div class=\"contact-person-info\"><div class=\"avatar\"><img decoding=\"async\" src=\"https:\/\/locaterisk.com\/wp-content\/uploads\/2025\/06\/Lukas_Baumann_LocateRisk-300.png\"><\/div><p><span class=\"text before\">Your personal consultant<\/span><span class=\"bold name\"><strong>Lukas<\/strong><\/span> <span class=\"lastname\"><strong>Baumann<strong><\/strong><\/strong><\/span><strong><strong><span class=\"separator\"><\/span><span class=\"role\">CEO<\/span><\/strong><\/strong><\/p><\/div><p class=\"bold phone\"><strong><strong>+49 6151 6290246<\/strong><\/strong><\/p><strong><strong><a class=\"pr-1\" href=\"mailto: sales@locaterisk.com\">Get in Touch Now<\/a><\/strong><\/strong><\/div><\/div><\/div>\n\n\n\n<p><\/p>\n\n\n\n<p><\/p>\n\n\n\n<div class=\"wp-block-lr-footer-module lr-footer-block\"><div class=\"content\"><div class=\"column0\"><img decoding=\"async\" src=\"https:\/\/locaterisk.com\/wp-content\/plugins\/locate-risk-prod\/lr-blocks\/assets\/img\/lr-logo.svg\"\/><\/div><div class=\"categories\"><div class=\"categories-element\"><a class=\"pr-4\" href=\"https:\/\/locaterisk.com\/en\/\">Home<\/a><\/div><div class=\"categories-element\"><a class=\"pr-4\" href=\"\/en\/blog\/\">Blog<\/a><\/div><div class=\"categories-element\"><a class=\"pr-4\" href=\"\/en\/about\/\">About Us<\/a><\/div><div class=\"categories-element\"><a class=\"pr-4\" href=\"\/en\/kontakt\/\">Contact<\/a><\/div><div class=\"categories-element\"><a class=\"pr-4\" href=\"\/en\/impressum\/\">Legal Notice<\/a><\/div><div class=\"categories-break\"><\/div><div class=\"categories-element\"><a class=\"pr-4\" href=\"\/en\/datenschutz\/\">Privacy<\/a><\/div><div class=\"categories-element\"><a class=\"pr-4\" href=\"\/files\/gtc.pdf\">General Terms and Conditions<\/a><\/div><div class=\"categories-element\"><a class=\"pr-4\" href=\"\/en\/jobs\/\">Jobs<\/a><\/div><div class=\"categories-element\"><a class=\"pr-4\" href=\"https:\/\/app.secfix.com\/trust\/locaterisk\/d1e7d433b33643aea1880bfbfeab9f60\">Trust Center<\/a><\/div><\/div><div class=\"social\"><div class=\"social-element\"><a target=\"_blank\" href=\"https:\/\/www.linkedin.com\/company\/locaterisk\/\"><img decoding=\"async\" src=\"https:\/\/locaterisk.com\/wp-content\/uploads\/2020\/10\/gruppe-230@3x.png\"\/><\/a><\/div><div class=\"social-element\"><a target=\"_blank\" href=\"https:\/\/www.instagram.com\/locaterisk\/\"><img decoding=\"async\" src=\"https:\/\/locaterisk.com\/wp-content\/uploads\/2020\/11\/Instagram.png\"\/><\/a><\/div><div class=\"social-element\"><a target=\"_blank\" href=\"https:\/\/twitter.com\/locaterisk\"><img decoding=\"async\" src=\"https:\/\/locaterisk.com\/wp-content\/uploads\/2020\/11\/twitter.png\"\/><\/a><\/div><\/div><div class=\"description\"><h6>\u00a9 LocateRisk 2026<\/h6><\/div><\/div><\/div>","protected":false},"excerpt":{"rendered":"<p>Analysis of the critical vulnerability CVE-2026-58426 (CVSS 9.6) in Gitea. It allows unauthorized access to build artifacts. A patch is available.<\/p>","protected":false},"author":13,"featured_media":9085,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[632],"tags":[320,695,228,697,619,696,115,623],"class_list":["post-9086","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity-news","tag-ci-cd-security","tag-cve-2026-58426","tag-cvss-9-6","tag-git-sicherheit","tag-gitea","tag-gitea-actions","tag-schwachstelle","tag-software-supply-chain"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.9 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>CVE-2026-58426: Kritische L\u00fccke in Gitea Actions | LocateRisk Analyse<\/title>\n<meta name=\"description\" content=\"Analyse der kritischen Schwachstelle CVE-2026-58426 (CVSS 9.6) in Gitea. Sie erlaubt unberechtigten Zugriff auf Build-Artefakte. Ein Patch ist verf\u00fcgbar.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/locaterisk.com\/en\/cve-2026-58426-gitea-actions-vulnerability\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"CVE-2026-58426: Kritische L\u00fccke in Gitea Actions | LocateRisk Analyse\" \/>\n<meta property=\"og:description\" content=\"Analyse der kritischen Schwachstelle CVE-2026-58426 (CVSS 9.6) in Gitea. Sie erlaubt unberechtigten Zugriff auf Build-Artefakte. Ein Patch ist verf\u00fcgbar.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/locaterisk.com\/en\/cve-2026-58426-gitea-actions-vulnerability\/\" \/>\n<meta property=\"og:site_name\" content=\"LocateRisk\" \/>\n<meta property=\"article:published_time\" content=\"2026-07-03T22:37:55+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/locaterisk.com\/wp-content\/uploads\/2026\/07\/cve-2026-58426-featured.png\" \/>\n\t<meta property=\"og:image:width\" content=\"400\" \/>\n\t<meta property=\"og:image:height\" content=\"400\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Kristina Hoinkis\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Kristina Hoinkis\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/locaterisk.com\\\/de\\\/cve-2026-58426-gitea-actions-vulnerability\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/locaterisk.com\\\/de\\\/cve-2026-58426-gitea-actions-vulnerability\\\/\"},\"author\":{\"name\":\"Kristina Hoinkis\",\"@id\":\"https:\\\/\\\/locaterisk.com\\\/de\\\/#\\\/schema\\\/person\\\/68f3857c15afa8ff59c545848dddcc32\"},\"headline\":\"CVE-2026-58426: Kritische Schwachstelle in Gitea Actions erm\u00f6glicht Datenzugriff\",\"datePublished\":\"2026-07-03T22:37:55+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/locaterisk.com\\\/de\\\/cve-2026-58426-gitea-actions-vulnerability\\\/\"},\"wordCount\":1200,\"publisher\":{\"@id\":\"https:\\\/\\\/locaterisk.com\\\/de\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/locaterisk.com\\\/de\\\/cve-2026-58426-gitea-actions-vulnerability\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/locaterisk.com\\\/wp-content\\\/uploads\\\/2026\\\/07\\\/cve-2026-58426-featured.png\",\"keywords\":[\"CI\\\/CD Security\",\"CVE-2026-58426\",\"CVSS 9.6\",\"Git-Sicherheit\",\"Gitea\",\"Gitea Actions\",\"Schwachstelle\",\"Software Supply Chain\"],\"articleSection\":[\"Cybersecurity News\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/locaterisk.com\\\/de\\\/cve-2026-58426-gitea-actions-vulnerability\\\/\",\"url\":\"https:\\\/\\\/locaterisk.com\\\/de\\\/cve-2026-58426-gitea-actions-vulnerability\\\/\",\"name\":\"CVE-2026-58426: Kritische L\u00fccke in Gitea Actions | LocateRisk Analyse\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/locaterisk.com\\\/de\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/locaterisk.com\\\/de\\\/cve-2026-58426-gitea-actions-vulnerability\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/locaterisk.com\\\/de\\\/cve-2026-58426-gitea-actions-vulnerability\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/locaterisk.com\\\/wp-content\\\/uploads\\\/2026\\\/07\\\/cve-2026-58426-featured.png\",\"datePublished\":\"2026-07-03T22:37:55+00:00\",\"description\":\"Analyse der kritischen Schwachstelle CVE-2026-58426 (CVSS 9.6) in Gitea. Sie erlaubt unberechtigten Zugriff auf Build-Artefakte. Ein Patch ist verf\u00fcgbar.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/locaterisk.com\\\/de\\\/cve-2026-58426-gitea-actions-vulnerability\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/locaterisk.com\\\/de\\\/cve-2026-58426-gitea-actions-vulnerability\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/locaterisk.com\\\/de\\\/cve-2026-58426-gitea-actions-vulnerability\\\/#primaryimage\",\"url\":\"https:\\\/\\\/locaterisk.com\\\/wp-content\\\/uploads\\\/2026\\\/07\\\/cve-2026-58426-featured.png\",\"contentUrl\":\"https:\\\/\\\/locaterisk.com\\\/wp-content\\\/uploads\\\/2026\\\/07\\\/cve-2026-58426-featured.png\",\"width\":400,\"height\":400,\"caption\":\"CVE-2026-58426: Kritische Schwachstelle in Gitea Actions erm\u00f6glicht Datenzugriff\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/locaterisk.com\\\/de\\\/cve-2026-58426-gitea-actions-vulnerability\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/locaterisk.com\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"CVE-2026-58426: Kritische Schwachstelle in Gitea Actions erm\u00f6glicht Datenzugriff\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/locaterisk.com\\\/de\\\/#website\",\"url\":\"https:\\\/\\\/locaterisk.com\\\/de\\\/\",\"name\":\"LocateRisk\",\"description\":\"IT-Sicherheit messen und vergleichen\",\"publisher\":{\"@id\":\"https:\\\/\\\/locaterisk.com\\\/de\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/locaterisk.com\\\/de\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/locaterisk.com\\\/de\\\/#organization\",\"name\":\"LocateRisk\",\"url\":\"https:\\\/\\\/locaterisk.com\\\/de\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/locaterisk.com\\\/de\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/locaterisk.com\\\/wp-content\\\/uploads\\\/2020\\\/11\\\/Kettenglieder_V0216-9.jpg\",\"contentUrl\":\"https:\\\/\\\/locaterisk.com\\\/wp-content\\\/uploads\\\/2020\\\/11\\\/Kettenglieder_V0216-9.jpg\",\"width\":1920,\"height\":1080,\"caption\":\"LocateRisk\"},\"image\":{\"@id\":\"https:\\\/\\\/locaterisk.com\\\/de\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/www.linkedin.com\\\/company\\\/locaterisk\\\/\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/locaterisk.com\\\/de\\\/#\\\/schema\\\/person\\\/68f3857c15afa8ff59c545848dddcc32\",\"name\":\"Kristina Hoinkis\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/7756f96249844e60ceb218f17e06217dcbed4993bcd2124e3f59bb8675324f0d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/7756f96249844e60ceb218f17e06217dcbed4993bcd2124e3f59bb8675324f0d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/7756f96249844e60ceb218f17e06217dcbed4993bcd2124e3f59bb8675324f0d?s=96&d=mm&r=g\",\"caption\":\"Kristina Hoinkis\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"CVE-2026-58426: Kritische L\u00fccke in Gitea Actions | LocateRisk Analyse","description":"Analysis of the critical vulnerability CVE-2026-58426 (CVSS 9.6) in Gitea. It allows unauthorized access to build artifacts. A patch is available.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/locaterisk.com\/en\/cve-2026-58426-gitea-actions-vulnerability\/","og_locale":"en_US","og_type":"article","og_title":"CVE-2026-58426: Kritische L\u00fccke in Gitea Actions | LocateRisk Analyse","og_description":"Analyse der kritischen Schwachstelle CVE-2026-58426 (CVSS 9.6) in Gitea. Sie erlaubt unberechtigten Zugriff auf Build-Artefakte. Ein Patch ist verf\u00fcgbar.","og_url":"https:\/\/locaterisk.com\/en\/cve-2026-58426-gitea-actions-vulnerability\/","og_site_name":"LocateRisk","article_published_time":"2026-07-03T22:37:55+00:00","og_image":[{"width":400,"height":400,"url":"https:\/\/locaterisk.com\/wp-content\/uploads\/2026\/07\/cve-2026-58426-featured.png","type":"image\/png"}],"author":"Kristina Hoinkis","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Kristina Hoinkis","Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/locaterisk.com\/de\/cve-2026-58426-gitea-actions-vulnerability\/#article","isPartOf":{"@id":"https:\/\/locaterisk.com\/de\/cve-2026-58426-gitea-actions-vulnerability\/"},"author":{"name":"Kristina Hoinkis","@id":"https:\/\/locaterisk.com\/de\/#\/schema\/person\/68f3857c15afa8ff59c545848dddcc32"},"headline":"CVE-2026-58426: Kritische Schwachstelle in Gitea Actions erm\u00f6glicht Datenzugriff","datePublished":"2026-07-03T22:37:55+00:00","mainEntityOfPage":{"@id":"https:\/\/locaterisk.com\/de\/cve-2026-58426-gitea-actions-vulnerability\/"},"wordCount":1200,"publisher":{"@id":"https:\/\/locaterisk.com\/de\/#organization"},"image":{"@id":"https:\/\/locaterisk.com\/de\/cve-2026-58426-gitea-actions-vulnerability\/#primaryimage"},"thumbnailUrl":"https:\/\/locaterisk.com\/wp-content\/uploads\/2026\/07\/cve-2026-58426-featured.png","keywords":["CI\/CD Security","CVE-2026-58426","CVSS 9.6","Git-Sicherheit","Gitea","Gitea Actions","Schwachstelle","Software Supply Chain"],"articleSection":["Cybersecurity News"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/locaterisk.com\/de\/cve-2026-58426-gitea-actions-vulnerability\/","url":"https:\/\/locaterisk.com\/de\/cve-2026-58426-gitea-actions-vulnerability\/","name":"CVE-2026-58426: Kritische L\u00fccke in Gitea Actions | LocateRisk Analyse","isPartOf":{"@id":"https:\/\/locaterisk.com\/de\/#website"},"primaryImageOfPage":{"@id":"https:\/\/locaterisk.com\/de\/cve-2026-58426-gitea-actions-vulnerability\/#primaryimage"},"image":{"@id":"https:\/\/locaterisk.com\/de\/cve-2026-58426-gitea-actions-vulnerability\/#primaryimage"},"thumbnailUrl":"https:\/\/locaterisk.com\/wp-content\/uploads\/2026\/07\/cve-2026-58426-featured.png","datePublished":"2026-07-03T22:37:55+00:00","description":"Analysis of the critical vulnerability CVE-2026-58426 (CVSS 9.6) in Gitea. It allows unauthorized access to build artifacts. A patch is available.","breadcrumb":{"@id":"https:\/\/locaterisk.com\/de\/cve-2026-58426-gitea-actions-vulnerability\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/locaterisk.com\/de\/cve-2026-58426-gitea-actions-vulnerability\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/locaterisk.com\/de\/cve-2026-58426-gitea-actions-vulnerability\/#primaryimage","url":"https:\/\/locaterisk.com\/wp-content\/uploads\/2026\/07\/cve-2026-58426-featured.png","contentUrl":"https:\/\/locaterisk.com\/wp-content\/uploads\/2026\/07\/cve-2026-58426-featured.png","width":400,"height":400,"caption":"CVE-2026-58426: Kritische Schwachstelle in Gitea Actions erm\u00f6glicht Datenzugriff"},{"@type":"BreadcrumbList","@id":"https:\/\/locaterisk.com\/de\/cve-2026-58426-gitea-actions-vulnerability\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/locaterisk.com\/"},{"@type":"ListItem","position":2,"name":"CVE-2026-58426: Kritische Schwachstelle in Gitea Actions erm\u00f6glicht Datenzugriff"}]},{"@type":"WebSite","@id":"https:\/\/locaterisk.com\/de\/#website","url":"https:\/\/locaterisk.com\/de\/","name":"LocateRisk","description":"Measure and compare IT security","publisher":{"@id":"https:\/\/locaterisk.com\/de\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/locaterisk.com\/de\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/locaterisk.com\/de\/#organization","name":"LocateRisk","url":"https:\/\/locaterisk.com\/de\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/locaterisk.com\/de\/#\/schema\/logo\/image\/","url":"https:\/\/locaterisk.com\/wp-content\/uploads\/2020\/11\/Kettenglieder_V0216-9.jpg","contentUrl":"https:\/\/locaterisk.com\/wp-content\/uploads\/2020\/11\/Kettenglieder_V0216-9.jpg","width":1920,"height":1080,"caption":"LocateRisk"},"image":{"@id":"https:\/\/locaterisk.com\/de\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.linkedin.com\/company\/locaterisk\/"]},{"@type":"Person","@id":"https:\/\/locaterisk.com\/de\/#\/schema\/person\/68f3857c15afa8ff59c545848dddcc32","name":"Kristina Hoinkis","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/7756f96249844e60ceb218f17e06217dcbed4993bcd2124e3f59bb8675324f0d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/7756f96249844e60ceb218f17e06217dcbed4993bcd2124e3f59bb8675324f0d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/7756f96249844e60ceb218f17e06217dcbed4993bcd2124e3f59bb8675324f0d?s=96&d=mm&r=g","caption":"Kristina Hoinkis"}}]}},"_links":{"self":[{"href":"https:\/\/locaterisk.com\/en\/wp-json\/wp\/v2\/posts\/9086","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/locaterisk.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/locaterisk.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/locaterisk.com\/en\/wp-json\/wp\/v2\/users\/13"}],"replies":[{"embeddable":true,"href":"https:\/\/locaterisk.com\/en\/wp-json\/wp\/v2\/comments?post=9086"}],"version-history":[{"count":1,"href":"https:\/\/locaterisk.com\/en\/wp-json\/wp\/v2\/posts\/9086\/revisions"}],"predecessor-version":[{"id":9087,"href":"https:\/\/locaterisk.com\/en\/wp-json\/wp\/v2\/posts\/9086\/revisions\/9087"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/locaterisk.com\/en\/wp-json\/wp\/v2\/media\/9085"}],"wp:attachment":[{"href":"https:\/\/locaterisk.com\/en\/wp-json\/wp\/v2\/media?parent=9086"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/locaterisk.com\/en\/wp-json\/wp\/v2\/categories?post=9086"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/locaterisk.com\/en\/wp-json\/wp\/v2\/tags?post=9086"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}