Gitea v1.26.3 released on 20-06-2026

Gitea v1.26.3 is out now. It introduces a breaking change to Actions security: bypassing the fork‑PR approval gate now requires a merged PR, so forked workflows that previously bypassed approval under other conditions will no longer do so.
See the Gitea GitHub release page for the full notes, security details and download assets.
What’s in this release
- Breaking change for Actions: require a merged PR to bypass the fork‑PR approval gate (behavior for forked contributions is now stricter).
- Security hardenings and fixes, including hostmatcher patches (private list and reserved IP blocking), fixes for anonymous clone access to private repos, ignoring stale OIDC external‑login links, LFS access hardening and a dependency bump of golang.org/x/net to v0.55.0.
- Actions, API and workflow bugfixes — add Link header to ListForks API, return 404 when a job log blob is missing, exclude workflow_call from trigger detection, reject workflow_dispatch for workflows not declaring the trigger, preserve clickable run titles and several other workflow and API fixes.
Upgrade notes
- Breaking behaviour: update CI and approval processes that relied on the old fork‑PR bypass. Ensure workflows and merge policies expect a merged PR before any bypass is allowed.
- If the change causes disruption, test the release in staging and revert to your last known good release while you adjust workflows and approval rules.
Please share feedback or report issues on the project’s issue tracker or community channels so maintainers can see how the change affects real‑world CI and workflows.


