Gitea | v1.26.2

Gitea v1.26.2 released on 20-05-2026


Gitea v1.26.2 is out now. It closes multiple security gaps and tightens token and OAuth handling while improving Actions/workflow stability and API/repo access behaviours.

Visit the Gitea GitHub releases page or the official Gitea site for the full changelog and upgrade instructions.

What’s in this release

  • Security hardening: fixes for permission reading, unambiguous artifact signature payloads, unified public-only token filtering, missed token scope checks, binding token exchanges to the original client request, stronger PKCE validation and refresh-token replay protection, enforcement of token scopes for raw/media/attachment downloads, and a new option to encrypt AWS credentials.
  • Actions, workflows and CI stability fixes: resolve deadlocks between PrepareRunAndInsert and UpdateTaskByState, ensure TransferLogs runs on empty/closed log updates, report per-step status in workflow job API responses, prevent panics for null jobs and scheduled actions with null payloads, and validate workflow parameters to avoid 500s.
  • API, permissions, packages and Git access corrections: fix smart HTTP request scope handling, unify token filtering in API queries and repo access checks, enforce token scopes at download time, add labels and permission checks for packages, and address various auth, attachment and URL-sanitisation bugs.

Upgrade notes

  • No breaking changes are listed, but token and OAuth handling has been tightened—review any custom integrations, token scopes and PKCE flows before upgrading.
  • Gitea Cloud instances will be auto-upgraded during the scheduled maintenance window; for self-hosted instances, test the upgrade in staging and ensure backups are available to support your usual rollback procedure if needed.

Share comments on your experience upgrading to v1.26.2 or report any issues you encounter on Gitea’s GitHub so the community can follow up.

Related posts

Weekly Tech Digest | 06 Jul 2026

Stay updated with the latest in tech! This digest covers AI ethics, auto industry shifts, and the impact of politics on technology, exploring today's pressing issues.

wolfCOSE zero-allocation parsing in embedded C

wolfCOSE looks sensible only if you care about what your firmware actually has to carry. I like that, because on small targets the wrong crypto feature can cost more than the message itself, and there...

restic | v0.19.1

restic v0 19 1: safer FUSE mounts and mountpoint checks, robust backup source and exclude handling, clearer CLI JSON output, Windows SFTP deletion fixes