Gitea, a lightweight and open-source Git hosting platform designed for simplicity and ease of self-hosting, has released version 1.26, addressing three vulnerabilities: CVE-2026-28737, CVE-2026-22555, and CVE-2026-27780.
In addition to security updates, Gitea 1.26 significantly enhances Actions. New features include concurrency syntax for workflows, support for actions and reusable workflows from private repositories, configurable permissions for Actions tokens, per-runner pause and disable controls, support for non-zipped artifacts, workflow summaries, and the option to re-run only failed jobs.
Repository and release management have also been improved. Gitea 1.26 introduces keyboard shortcuts for file and code search, support for archive-upload RPC, and the ability to download archives for specific repository subpaths.
Moreover, the release editor can now automatically generate release notes from merged pull requests and contributors, streamlining version publishing. The file list now includes a “Go to file” function and allows directory deletion directly from the browser when permitted.
Performance has been enhanced through the use of newer Git batch operations for object reads, reducing overhead in large workloads. When supported, merge-tree is now used for faster merge conflict detection, improving pull request and merge preview handling on larger or busier instances.
Administrators benefit from new tools in Gitea 1.26, including an instance-wide information banner and maintenance mode for managing global notices and services during maintenance windows. User badges are now supported, enabling instances to highlight roles, achievements, or internal designations on profiles.
This release also introduces infrastructure enhancements. Gitea now supports a Terraform state registry via its package registry, allowing teams to manage Terraform state with existing access controls. OpenAPI specifications can now be rendered directly in the browser.
The front-end and build stack have undergone significant changes. Gitea has migrated from webpack to Vite, and the in-browser editor now uses CodeMirror instead of Monaco. The CSRF cookie mechanism has been replaced with CrossOriginProtection, which may affect deployments with custom reverse proxy, embedding, CORS, or cookie configurations.
Finally, several changes in 1.26 may require attention during upgrades. The environment-to-ini tool has been replaced by a new config edit-ini subcommand. Swagger annotations have been corrected, so generated OpenAPI descriptions now more accurately reflect enum values, status codes, and notification states.
API clients generated from the specification may need to be regenerated and revalidated. The GET API registration-token endpoint has been removed. Additionally, new installations now default PUBLIC_URL_DETECTION to auto. Administrators using reverse proxies or alternate hostnames should verify that generated links, redirects, and webhook behavior align with their intended configuration.
For more information, see the announcement. As always, users should back up their data before upgrading by replacing the binary or Docker container and restarting the service.
