CVE-2021-45326
Description
Cross Site Request Forgery (CSRF) vulnerability exists in Gitea before 1.5.2 via API routes.This can be dangerous especially with state altering POST requests.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CSRF vulnerability in Gitea before 1.5.2 allows attackers to perform state-changing POST requests via API routes without CSRF token validation.
Vulnerability
Cross-Site Request Forgery (CSRF) vulnerability exists in Gitea API routes prior to version 1.5.2. The API endpoints that accept state-changing POST requests do not require a CSRF token, allowing an attacker to forge requests on behalf of an authenticated user [1][3].
Exploitation
An attacker can exploit this by crafting a malicious website, email, or link that, when visited by an authenticated Gitea user, triggers an unwanted API call (e.g., via an HTML form or image tag). Since the victim's browser automatically sends session cookies, the forged request is processed by Gitea as legitimate. No special network position or additional privileges are required beyond the victim being logged in [1][3].
Impact
Successful exploitation allows the attacker to execute arbitrary state-changing operations on the victim's behalf, such as creating, modifying, or deleting repositories, issues, or user settings. The integrity of the Gitea instance is compromised, and confidentiality may be affected if the API returns sensitive data in responses [1][3].
Mitigation
Upgrade to Gitea version 1.5.2 or later, released on October 2, 2018, which enforces CSRF token validation on API routes [1][3]. If upgrading is not immediately possible, consider implementing additional CSRF protections, such as SameSite cookie attributes or custom middleware, though no official workaround is provided by the vendor.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/go-gitea/giteaGo | < 1.5.2 | 1.5.2 |
Affected products
3- Gitea/Giteadescription
- osv-coords2 versions
< 1.5.2+ 1 more
- (no CPE)range: < 1.5.2
- (no CPE)range: < 1.5.2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- github.com/advisories/GHSA-4wp3-8q92-mh8wghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-45326ghsaADVISORY
- blog.gitea.io/2018/10/gitea-1.5.2-is-releasedghsaWEB
- blog.gitea.io/2018/10/gitea-1.5.2-is-released/mitrex_refsource_MISC
- github.com/go-gitea/gitea/issues/4838ghsax_refsource_MISCWEB
- github.com/go-gitea/gitea/pull/4840ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.