Gitea versions from 1.5.0 before 1.26.3 have a TOTP single-use enforcement defect that allows a valid TOTP code to be accepted more than once across web two-factor authentication flows and the Basic Auth X-Gitea-OTP path.
Casky was already ahead
This CVE exploits attack patterns that Casky's 0matched skills already investigate — long before this vulnerability was disclosed. Claude's reasoning model maps these techniques to MITRE ATT&CK, so practitioners who ran these skills have already seen the threat behaviour in their findings.
Gitea versions 1.5.0 through 1.26.2 contain a critical authentication weakness where Time-based One-Time Password (TOTP) codes can be reused across multiple authentication attempts. This vulnerability undermines two-factor authentication (2FA) security by allowing attackers who intercept or guess a valid TOTP code to authenticate repeatedly within the window before the code expires—both through standard web login flows and the Basic Auth X-Gitea-OTP header path. Organizations running affected Gitea instances face elevated risk of unauthorized account access, particularly if their Gitea deployments host sensitive repositories, CI/CD pipelines, or serve as identity providers for downstream systems. The vulnerability affects any user relying on TOTP as their second authentication factor.
While this CVE lacks explicit MITRE ATT&CK mappings, the underlying attack pattern aligns with credential-based techniques (T1110 - Brute Force, T1528 - Steal Application Access Token) and initial access vectors (T1199 - Trusted Relationship). Casky's Claude-powered analysis engine, enhanced with extended reasoning capabilities, detects anomalies in authentication workflows by identifying repeated successful logins using identical TOTP values within short timeframes, unusual authentication source-destination pairs, and API calls bearing reused OTP headers. Practitioners would observe alerts flagging suspicious authentication clusters where the same credential material succeeds across geographically dispersed or temporally overlapping sessions—a pattern inconsistent with legitimate single-use behavior. Security teams can map findings to account compromise investigation workflows and validate whether their Gitea instances require immediate patching to 1.26.3 or later.
Composite risk scoring from EPSS, CISA KEV, Shodan, and GreyNoise — 21 security APIs correlated into a single Casky Risk Score. Coming in Casky Pro. Join early access →
Casky has 0 skills that investigate the attack patterns behind CVE-2026-20779. Run one and get CVSS-scored findings in 3 minutes.
Run the skill that detects this →© 2026 Casky.AI, Inc. · AI Security Investigation