Gitea v1.27.0 released on 13-07-2026

Gitea v1.27.0 is out now. It delivers a set of critical security hardenings and a number of breaking changes that administrators and CI maintainers should check before upgrading.
Read the full release notes on the project’s GitHub for migration guidance, security details and the complete list of API, Actions and UI changes.
What’s in this release
- Security hardening and privacy fixes: tightened access checks and migration validation, enforcement of public-only token scope, prevention of private repo metadata leaks after access revocation, proof-of-possession for cross-repo LFS objects, disabled HTTP redirects for pull mirror syncs, path traversal prevention during repository restore, and Content-Security-Policy updates (script nonce) plus X-Content-Type-Options: nosniff.
- Actions updates: improved (breaking) support for reusable workflows, owner-level and global scoped workflows, workflow status badge modal, job summaries (GITHUB_STEP_SUMMARY), continue-on-error for jobs, bulk admin runner operations, better status handling and numerous performance and bug fixes.
- APIs and integrations: token introspection and self-deletion endpoint, raw diff/patch endpoint, support for ref suffixes in compare, server-side branch filtering (q parameter), GET workflow runs endpoint, OpenAPI 3.0 served at /openapi.v1.json, and OAuth/OIDC provider improvements.
Upgrade notes
- Breaking change: the improved support for reusable workflows in Actions is a breaking change — review the migration guidance for workflows and runners before upgrading.
- Gitea Cloud instances will be automatically upgraded to v1.27.0 during the scheduled maintenance window; plan accordingly if you run hosted or managed instances.
Share comments on your upgrade experience or report issues to the Gitea project so others can learn from any migration problems you encounter.


