Gitea TOTP 2FA bypass (web TOCTOU + X-Gitea-OTP replay)

cve · CVE-2026-20779

Coverage timeline

first 2026-06-23 → last 2026-06-23

Briefs

1 distinct

Sources cited

11 hosts

Sections touched

—

Co-occurring entities

no co-occurrence

Story timeline

2026-06-23CTI Daily Brief — 2026-06-23

Source distribution

blog.gitea.com1 (9%)
github.com1 (9%)
helpnetsecurity.com1 (9%)
isc.sans.edu1 (9%)
msrc.microsoft.com1 (9%)
noscope.com1 (9%)
rapid7.com1 (9%)
security-hub.ncsc.admin.ch1 (9%)
other3 (27%)

External references

NVD · cve.org · CISA KEV

All cited sources (11)

blog.gitea.comprimaryinlineGitea, 2026-06-21https://blog.gitea.com/release-of-1.26.3-and-1.26.4
cited in 2026-06-23
github.cominlineGitHub Security Advisory GHSA-f75j-4cw6-rmx4, 2026-06-21https://github.com/go-gitea/gitea/security/advisories/GHSA-f75j-4cw6-rmx4
source profile · cited in 2026-06-23
helpnetsecurity.cominlineHelp Net Security, 2026-05-26https://www.helpnetsecurity.com/2026/05/26/sharepoint-vulnerability-cve-2026-45659/
source profile · cited in 2026-05-28
isc.sans.eduinlineSANS ISChttps://isc.sans.edu/diary/33094
source profile · cited in 2026-06-23
msrc.microsoft.cominlineMicrosoft MSRChttps://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-45659
source profile · cited in 2026-05-28
noscope.cominlineNoScopehttps://www.noscope.com/blog/gitea-instances-exposing-private-container
cited in 2026-05-28
rapid7.cominlineRapid7 Labshttps://www.rapid7.com/blog/post/ve-authenticated-rce-via-argument-injection-gogs-unfixed/
source profile · cited in 2026-05-29
security-hub.ncsc.admin.chinlineNCSC-CH post 12594https://security-hub.ncsc.admin.ch/#/posts/12594
source profile · cited in 2026-05-28
thehackernews.cominlineThe Hacker News, 2026-05-27https://thehackernews.com/2026/05/gitea-vulnerability-exposes-private.html
cited in 2026-05-28
wid.cert-bund.deinlineBSI WID, 2026-06-22https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-2027
source profile · cited in 2026-06-23
wordfence.cominlineWordfencehttps://www.wordfence.com/blog/2026/06/psa-supply-chain-compromise-targets-shapedplugin-backdoored-pro-plugins-distributed-via-official-channels/
cited in 2026-06-23

Items in briefs about Gitea TOTP 2FA bypass (web TOCTOU + X-Gitea-OTP replay)

No parsed item heading or body matches this entity yet. Items match by exact CVE id (for CVE entities), by lead-segment substring of the title in the item heading or body, or by a distinctive anchor token from the title appearing in the item heading. Coverage that lives inside a broader section (no per-item heading) is captured by the Story timeline above.