CVE-2026-20779
Received Received - Intake

TOTP Single-Use Bypass in Gitea

Vulnerability report for CVE-2026-20779, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-03

Last updated on: 2026-07-03

Assigner: Gitea Limited

Description

Gitea versions from 1.5.0 before 1.26.3 have a TOTP single-use enforcement defect that allows a valid TOTP code to be accepted more than once across web two-factor authentication flows and the Basic Auth X-Gitea-OTP path.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-03
Last Modified
2026-07-03
Generated
2026-07-04
AI Q&A
2026-07-04
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
gitea gitea From 1.5.0 (inc) to 1.26.3 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-294 A capture-replay flaw exists when the design of the product makes it possible for a malicious user to sniff network traffic and bypass authentication by replaying it to the server in question to the same effect as the original message (or with minor changes).

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in Gitea versions from 1.5.0 before 1.26.3 and involves a defect in the enforcement of single-use TOTP (Time-based One-Time Password) codes.

Specifically, a valid TOTP code can be accepted more than once during web two-factor authentication flows and the Basic Auth X-Gitea-OTP path, which should not happen since TOTP codes are intended to be single-use.

Impact Analysis

Because a valid TOTP code can be reused multiple times, an attacker who obtains a single valid TOTP code could potentially bypass two-factor authentication protections more than once.

This undermines the security of the authentication process, increasing the risk of unauthorized access to accounts protected by Gitea's two-factor authentication.

The CVSS score of 7.1 indicates a high severity impact, with high confidentiality impact and low integrity impact.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-20779. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart