CVE-2026-0798
published 2026-01-22CVE-2026-0798: Gitea may send release notification emails for private repositories to users whose access has been revoked. When a repository is changed from public to…
PriorityP415low3.5CVSS 3.1
AVNACLPRLUIRSUCLINAN
EPSS
0.24%
14.6th percentile
Gitea may send release notification emails for private repositories to users whose access has been revoked. When a repository is changed from public to private, users who previously watched the repository may continue to receive release notifications, potentially disclosing release titles, tags, and content.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| code.gitea.io | gitea | >= 0 < 1.25.4 | 1.25.4 |
| gitea | gitea | < 1.25.4 | 1.25.4 |
| gitea | gitea_open_source_git_server | <= 1.25.3 | — |
CVSS provenance
nvdv3.13.5LOWCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
vendor_redhat3.5LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Gitea may send release notification emails for private repositories to users whose access has been revoked in code.gitea.io/gitea
osv·2026-02-02
CVE-2026-0798 Gitea may send release notification emails for private repositories to users whose access has been revoked in code.gitea.io/gitea
Gitea may send release notification emails for private repositories to users whose access has been revoked in code.gitea.io/gitea
Gitea may send release notification emails for private repositories to users whose access has been revoked in code.gitea.io/gitea
OSV
Gitea may send release notification emails for private repositories to users whose access has been revoked
osv·2026-01-23
CVE-2026-0798 [LOW] Gitea may send release notification emails for private repositories to users whose access has been revoked
Gitea may send release notification emails for private repositories to users whose access has been revoked
Gitea may send release notification emails for private repositories to users whose access has been revoked. When a repository is changed from public to private, users who previously watched the repository may continue to receive release notifications, potentially disclosing release titles, tags, and content.
GHSA
Gitea may send release notification emails for private repositories to users whose access has been revoked
ghsa·2026-01-23
CVE-2026-0798 [LOW] CWE-284 Gitea may send release notification emails for private repositories to users whose access has been revoked
Gitea may send release notification emails for private repositories to users whose access has been revoked
Gitea may send release notification emails for private repositories to users whose access has been revoked. When a repository is changed from public to private, users who previously watched the repository may continue to receive release notifications, potentially disclosing release titles, tags, and content.
Red Hat
gitea: Gitea Release Email Notifications Leak Private Repository Release Details After Access Revocation
vendor_redhat·2026-01-22·CVSS 3.5
CVE-2026-0798 [LOW] CWE-497 gitea: Gitea Release Email Notifications Leak Private Repository Release Details After Access Revocation
gitea: Gitea Release Email Notifications Leak Private Repository Release Details After Access Revocation
Gitea may send release notification emails for private repositories to users whose access has been revoked. When a repository is changed from public to private, users who previously watched the repository may continue to receive release notifications, potentially disclosing release titles, tags, and content.
An information exposure flaw has been discovered in Gitea. Gitea may send release notification emails for private repositories to users whose access has been revoked. When a repository is changed from public to private, users who previously watched the repository may continue to receive release notifications, potentially disclosing release titles, tags, and content.
Mitigation: M
No detection rules found.
No public exploits indexed.
2026-01-22
Published