Gitea 1.26 Released With Security Fixes and Actions Upgrades

Gitea has released version 1.26, bringing important security fixes and a wide range of improvements. This update patches three vulnerabilities—CVE-2026-28737, CVE-2026-22555, and CVE-2026-27780—while significantly expanding the capabilities of Actions. New features include workflow concurrency controls, support for reusable workflows from private repositories, configurable token permissions, runner pause/disable options, non-zipped artifact support, workflow summaries, and the ability to re-run only failed jobs.

Repository and release management have also been enhanced, with additions like keyboard shortcuts for code and file search, archive-upload RPC support, and downloading archives for specific subpaths. The release editor can now auto-generate notes based on merged pull requests and contributors, making version publishing more efficient. Users also benefit from a “Go to file” feature and the ability to delete directories directly from the browser where permitted.

Performance improvements include the use of newer Git batch operations to reduce overhead in large workloads, along with merge-tree support for faster conflict detection—especially useful for busy or large repositories. Administrators gain new tools such as an instance-wide banner, maintenance mode, and support for user badges to highlight roles or achievements.

On the infrastructure side, this release introduces support for a Terraform state registry via the package registry and allows OpenAPI specifications to be rendered directly in the browser. The frontend has been modernized with a shift from webpack to Vite, and the in-browser editor now uses CodeMirror instead of Monaco. Additionally, the CSRF cookie mechanism has been replaced with CrossOriginProtection, which may require adjustments for setups using reverse proxies, CORS, or custom configurations.

Several upgrade-related changes should be noted. The environment-to-ini tool has been replaced with a new config edit-ini command, and Swagger annotations have been corrected for more accurate OpenAPI outputs. As a result, API clients may need regeneration and validation. The GET API registration-token endpoint has been removed, and new installations now default PUBLIC_URL_DETECTION to auto. Administrators using custom domains or reverse proxies should verify links, redirects, and webhook behavior after upgrading.

For more information, see the announcement. As always, users should back up their data before upgrading by replacing the binary or Docker container and restarting the service.