CVE-2026-26247
Discovered by AISLEPUBLISHED
Description
An OAuth2 PKCE flaw in Gitea where code_challenge_method=S256 was not handled correctly during authorization, causing the S256 method not to be persisted and weakening or bypassing the expected PKCE verifier enforcement during the token exchange.
Affected Products
| Vendor | Product | Version | Status |
|---|---|---|---|
| Unknown | Gitea | < 1.25.5 | — |