CVE-2025-69413
published 2026-01-01CVE-2025-69413: In Gitea before 1.25.2, /api/v1/user has different responses for failed authentication depending on whether a username exists.
PriorityP430medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
EPSS
0.36%
27.5th percentile
In Gitea before 1.25.2, /api/v1/user has different responses for failed authentication depending on whether a username exists.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| code.gitea.io | gitea | >= 0 < 1.25.2 | 1.25.2 |
| gitea | gitea | < 1.25.2 | 1.25.2 |
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
vendor_redhat5.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Gitea's /api/v1/user endpoint has different responses for failed authentication depending on whether a username exists in code.gitea.io/gitea
osv·2026-01-12
CVE-2025-69413 Gitea's /api/v1/user endpoint has different responses for failed authentication depending on whether a username exists in code.gitea.io/gitea
Gitea's /api/v1/user endpoint has different responses for failed authentication depending on whether a username exists in code.gitea.io/gitea
Gitea's /api/v1/user endpoint has different responses for failed authentication depending on whether a username exists in code.gitea.io/gitea
OSV
Gitea's /api/v1/user endpoint has different responses for failed authentication depending on whether a username exists
osv·2026-01-01
CVE-2025-69413 [MEDIUM] Gitea's /api/v1/user endpoint has different responses for failed authentication depending on whether a username exists
Gitea's /api/v1/user endpoint has different responses for failed authentication depending on whether a username exists
In Gitea before 1.25.2, /api/v1/user has different responses for failed authentication depending on whether a username exists.
GHSA
Gitea's /api/v1/user endpoint has different responses for failed authentication depending on whether a username exists
ghsa·2026-01-01
CVE-2025-69413 [MEDIUM] CWE-204 Gitea's /api/v1/user endpoint has different responses for failed authentication depending on whether a username exists
Gitea's /api/v1/user endpoint has different responses for failed authentication depending on whether a username exists
In Gitea before 1.25.2, /api/v1/user has different responses for failed authentication depending on whether a username exists.
Red Hat
Gitea: Gitea: Information disclosure via differing authentication responses
vendor_redhat·2026-01-01·CVSS 5.3
CVE-2025-69413 [MEDIUM] CWE-204 Gitea: Gitea: Information disclosure via differing authentication responses
Gitea: Gitea: Information disclosure via differing authentication responses
In Gitea before 1.25.2, /api/v1/user has different responses for failed authentication depending on whether a username exists.
A flaw was found in Gitea. A remote attacker can exploit this vulnerability by observing different responses from the /api/v1/user endpoint during failed authentication attempts. This information disclosure allows the attacker to determine whether a specific username exists on the system.
Statement: This vulnerability is rated Moderate as it allows for information disclosure through differing authentication responses on the `/api/v1/user` endpoint. This enables a remote attacker to enumerate valid usernames on affected systems, including OpenShift Pipelines deployments utilizing Gitea co
No detection rules found.
No public exploits indexed.
2026-01-01
Published