CVE-2026-20897
9.1
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Exploitability: 3.9 / Impact: 5.2
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)
Description
Gitea does not properly validate repository ownership when deleting Git LFS locks. A user with write access to one repository may be able to delete LFS locks belonging to other repositories.
Affected (1)
Related CWEs
CWE-284
Improper Access Control
The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
CWE-639
Authorization Bypass Through User-Controlled Key
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
References (5)
Source: 88ee5874-cf24-4952-aea0-31affedb7ff2
Issue TrackingPatch
Source: 88ee5874-cf24-4952-aea0-31affedb7ff2
Issue TrackingPatch
Source: 88ee5874-cf24-4952-aea0-31affedb7ff2
Release Notes
Source: 88ee5874-cf24-4952-aea0-31affedb7ff2
Broken Link
Timeline
No history available yet.