@@ -4,41 +4,47 @@ This changelog goes through the changes that have been made in each release
44without substantial changes to our git log; to see the highlights of what has
55been added to each release, please refer to the [ blog] ( https://blog.gitea.com ) .
66
7- ## [ 1.26.2] ( https://github.com/go-gitea/gitea/releases/tag/1.26.2 ) - 2026-05-06
7+ ## [ 1.26.2] ( https://github.com/go-gitea/gitea/releases/tag/1.26.2 ) - 2026-05-20
8+
9+ * SECURITY
10+ * fix(permissions): Fix reading permission (#37769 )
11+ * fix(actions): make artifact signature payloads unambiguous (#37707 )
12+ * fix: Unify public-only token filtering in API queries and repo access checks (#37118 )
13+ * fix: Add missed token scope checking (#37735 )
14+ * fix(oauth): bind token exchanges to the original client request (#37704 )
15+ * fix(oauth): strengthen PKCE validation and refresh token replay protection (#37706 )
16+ * fix(web): enforce token scopes on raw, media, and attachment downloads (#37698 )
17+ * fix(security): enforce wiki git writes and LFS token access at request time (#37695 )
18+ * feat(api): encrypt AWS creds (#37679 )
19+ * fix(deps): update dependency mermaid to v11.15.0 [ security] , add e2e test
20+ * fix(packages): Add label for private and internal package and fix composor package source permission check (#37610 )
21+ * fix(git): Fix smart http request scope bug (#37583 )
22+ * Fix basic auth bug (#37503 )
23+ * Fix allow maintainer edit permission check (#37479 ) (#37484 )
24+ * Fix URL sanitization to handle schemeless credentials (#37440 ) (#37471 )
25+ * Fix attachment Content-Security-Policy (#37455 ) (#37464 )
26+ * chore(deps): bump go-git/go-git/v5 to 5.19.0 (#37608 )
827
928* BUGFIXES
1029 * fix(pull): handle empty pull request files view to allow reviews (#37783 )
1130 * fix(markup): make RenderString never fail (#37779 )
1231 * fix: add natural sort to sortTreeViewNodes (#37772 )
1332 * fix: package creation unique conflict (#37774 )
14- * fix(permissions): Fix reading permission (#37769 )
15- * fix(actions): make artifact signature payloads unambiguous (#37707 )
16- * fix: Unify public-only token filtering in API queries and repo access checks (#37118 )
1733 * fix!: add DEFAULT_TITLE_SOURCE setting for pull request title default behavior (#37465 )
18- * fix: Add missed token scope checking (#37735 )
1934 * fix: Allow direct commits for unprotected files with push restrictions (#37657 )
20- * fix(oauth): bind token exchanges to the original client request (#37704 )
2135 * fix(actions): wrong assumption that run id always >= job id (#37737 )
22- * fix(oauth): strengthen PKCE validation and refresh token replay protection (#37706 )
23- * fix(web): enforce token scopes on raw, media, and attachment downloads (#37698 )
2436 * fix(auth): set User-Agent on avatar fetch and sync avatar on link-account register (#37564 ) (#37588 )
25- * fix(security): enforce wiki git writes and LFS token access at request time (#37695 )
2637 * fix(actions): deadlock between PrepareRunAndInsert and UpdateTaskByState (#37692 )
2738 * fix(repo): /generate must sync the branch table for the new repo (#37693 )
28- * feat(api): encrypt AWS creds (#37679 )
2939 * build: Fix snap build (1.26)
3040 * fix(actions): run TransferLogs on UpdateLog{Rows:[ ] , NoMore: true } (#37631 )
31- * fix(deps): update dependency mermaid to v11.15.0 [ security] , add e2e test
3241 * fix show correct mergebase
33- * fix(packages): Add label for private and internal package and fix composor package source permission check (#37610 )
3442 * fix: make clone URL respect public URL detection setting (#37615 )
35- * chore(deps): bump go-git/go-git/v5 to 5.19.0 (#37608 )
3643 * fix: "run as root" check (#37622 )
3744 * chore(deps): update dependency go to v1.26.3 (#37601 )
3845 * Compare dropdown fails when selecting branch with no common merge-base (#37470 )
3946 * fix: treat email addresses case-insensitively (#37600 )
4047 * fix(actions): fix blank lines after ::endgroup:: (#37597 )
41- * fix(git): Fix smart http request scope bug (#37583 )
4248 * fix(actions): report individual step status in workflow job API response (#37592 )
4349 * fix: Invalid UTF-8 commit messages in JSON API responses (#37542 )
4450 * fix: use consistent GetUser family functions (#37553 )
@@ -51,15 +57,11 @@ been added to each release, please refer to the [blog](https://blog.gitea.com).
5157 * Fix merge autodetect can't close other PRs but only the last one when multiple PRs are pushed at once (#37512 ) (#37516 )
5258 * Fix update branch protection order (#37508 ) (#37513 )
5359 * Fix mCaptcha broken after Vite migration (#37492 ) (#37509 )
54- * Fix basic auth bug (#37503 )
5560 * Fix review submission from single-commit PR view (#37475 ) (#37485 )
56- * Fix allow maintainer edit permission check (#37479 ) (#37484 )
57- * Fix URL sanitization to handle schemeless credentials (#37440 ) (#37471 )
5861 * Fix scheduled action panic with null event payload (#37459 ) (#37466 )
5962 * Make GetPossibleUserByID can handle deleted user (#37430 ) (#37431 )
6063 * Remove excessive quote from terraform instructions (#37424 ) (#37426 )
6164 * Fix color regressions, add ` priority ` color (#37417 ) (#37421 )
62- * Fix attachment Content-Security-Policy (#37455 ) (#37464 )
6365
6466* MISC
6567 * Add CurrentURL template variable back (#37444 ) (#37449 )
0 commit comments