Gitea | v1.26.2

Gitea v1.26.2 released on 20-05-2026


Gitea v1.26.2 is out now. It tightens token, OAuth and access controls with a broad set of security fixes (stronger PKCE validation, refresh-token replay protection, token scope checks and binding token exchanges to the original client request).

See the release notes on the Gitea repository or visit Gitea Cloud (https://cloud.gitea.com) for details and information about automatic upgrades for cloud instances.

What’s in this release

  • Security hardening: unified public-only token filtering, fixes for permission reading, missed token scope checks, enforced token scopes on raw/media/attachment downloads, and encrypted AWS credentials support.
  • Actions and workflow reliability fixes: resolve deadlocks between run preparation and task updates, correct run/job ID assumptions, ensure TransferLogs is called correctly, prevent panics for null jobs and null event payloads, and improve step/status reporting.
  • Git, repository and package fixes: smart HTTP request scope bug fix, basic-auth and avatar fetch fixes, composer/package source permission fixes with labels for private/internal packages, URL sanitization for schemeless credentials, and bumped Go and go-git dependencies.

Upgrade notes

  • Notable configuration change: a new DEFAULT_TITLE_SOURCE setting alters pull request title default behaviour — review and adjust your configuration if you rely on the previous default.
  • Gitea Cloud instances will be automatically upgraded during the scheduled maintenance window. For self‑hosted instances, follow your usual backup and rollback procedures if you need to revert to an earlier release.

Share any comments or problems you encounter with v1.26.2 on the project issue tracker or community channels so maintainers and other users can follow up.

Related posts

Weekly Tech Digest | 06 Jul 2026

Stay updated with the latest in tech! This digest covers AI ethics, auto industry shifts, and the impact of politics on technology, exploring today's pressing issues.

wolfCOSE zero-allocation parsing in embedded C

wolfCOSE looks sensible only if you care about what your firmware actually has to carry. I like that, because on small targets the wrong crypto feature can cost more than the message itself, and there...

restic | v0.19.1

restic v0 19 1: safer FUSE mounts and mountpoint checks, robust backup source and exclude handling, clearer CLI JSON output, Windows SFTP deletion fixes