CVE-2026-20912

Published: Jan 22, 2026Modified: Jan 29, 2026

9.1

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Exploitability: 3.9 / Impact: 5.2

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

Gitea does not properly validate repository ownership when linking attachments to releases. An attachment uploaded to a private repository could potentially be linked to a release in a different public repository, making it accessible to unauthorized users.

Affected (1)

Products: Gitea: Gitea

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Gitea Gitea	Before 1.25.4

Related CWEs

Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

Authorization Bypass Through User-Controlled Key

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

References (5)

https://blog.gitea.com/release-of-1.25.4/

Source: 88ee5874-cf24-4952-aea0-31affedb7ff2

Release Notes

https://github.com/go-gitea/gitea/pull/36320

Source: 88ee5874-cf24-4952-aea0-31affedb7ff2

Issue TrackingPatch

https://github.com/go-gitea/gitea/pull/36355

Source: 88ee5874-cf24-4952-aea0-31affedb7ff2

Issue TrackingPatch

https://github.com/go-gitea/gitea/releases/tag/v1.25.4

Source: 88ee5874-cf24-4952-aea0-31affedb7ff2

Release Notes

https://github.com/go-gitea/gitea/security/advisories/GHSA-vfmv-f93v-37mw

Source: 88ee5874-cf24-4952-aea0-31affedb7ff2

Broken Link

Timeline

No history available yet.