Security
Gitea Releases Critical Security Patch for CVE-2026-58426 Affecting Actions Artifacts
Tags Security · OSS · Developer Tools
Tenable·
Gitea published security patch v1.26.2 fixing CVE-2026-58426, a critical vulnerability (CVSS 9.6) in Actions Artifacts V4. The HMAC signature ambiguity allowed attackers to read artifacts from other repositories and write upload states across tasks, bypassing access controls. Patch was merged May 20, 2026 and addresses CWE-749 (dangerous artifact manipulation).
Technical significance
Critical vulnerability in GitHub Actions alternative affects CI/CD supply chain security. Organizations using Gitea for internal code hosting should upgrade immediately to prevent cross-repository data leaks. Highlights growing security surface of open-source DevOps tooling.