CVE-2026-26247
Discovered by AISLEPUBLISHEDCWE-284
Description
Gitea versions before 1.25.5 do not persist the OAuth2 PKCE S256 challenge method correctly during authorization, allowing token exchange without the expected verifier check.
Affected Products
| Vendor | Product | Version | Status |
|---|---|---|---|
| Gitea | Gitea | < 1.25.5 | affected |
Credits
- Aisle Research(reporter)