PT-2026-36652 · Go+1 · Code.Gitea.Io/Gitea+4

Published

2026-04-22

·

Updated

2026-05-29

CVSS v4.0

6.3

Medium

VectorAV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
Name of the Vulnerable Software and Affected Versions Gitea (affected versions not specified)
Description The built-in SSH server uses default configurations that advertise weak or broken key exchange, MAC, and host key algorithms. Specifically, the server supports the ecdh-sha2-nistp256, ecdh-sha2-nistp384, and ecdh-sha2-nistp521 key exchange algorithms, the hmac-sha1 MAC algorithm, and the ssh-rsa host key algorithm.
Recommendations As a temporary workaround, configure the following variables in the [server] section of the configuration file:
  • Set SSH SERVER KEY EXCHANGES to curve25519-sha256, diffie-hellman-group14-sha256.
  • Set SSH SERVER CIPHERS to chacha20-poly1305@openssh.com, aes128-ctr, aes192-ctr, aes256-ctr, aes128-gcm@openssh.com, aes256-gcm@openssh.com.
  • Set SSH SERVER MACS to hmac-sha2-256-etm@openssh.com, hmac-sha2-256. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Use of a Broken Cryptographic Algorithm

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-1188CWE-327

Related Identifiers

GHSA-3M6Q-H5GJ-7MRW

Affected Products

Code.Gitea.Io/Gitea
Gitea
Gitea-Docs
Gitea-Fish-Completion
Gitea-Zsh-Completion