THE article discusses two critical security vulnerabilities affecting Gitea, a popular self-hosted platform for code management. These vulnerabilities, CVE-2026-20896 and CVE-2026-22874, allow attackers to bypass authentication and perform Server-Side Request Forgery (SSRF) attacks, potentially gaining full control over administrative accounts and sensitive cloud infrastructure. The first vulnerability has a CVSS score of 9.8 and is due to misconfigured reverse proxy authentication.
The second, with a CVSS score of 9.6, arises from an incomplete SSRF allow-list. Both vulnerabilities affect Gitea versions 1.26.2 and earlier, requiring an immediate upgrade to 1.26.3 for protection.