CVE-2026-20750
published 2026-01-22CVE-2026-20750: Gitea does not properly validate project ownership in organization project operations. A user with project write access in one organization may be able to…
PriorityP351critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
EPSS
0.39%
31.0th percentile
Gitea does not properly validate project ownership in organization project operations. A user with project write access in one organization may be able to modify projects belonging to a different organization.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| code.gitea.io | gitea | >= 0 < 1.25.4 | 1.25.4 |
| gitea | gitea | < 1.25.4 | 1.25.4 |
| gitea | gitea_open_source_git_server | <= 1.25.3 | — |
| github.com | go-gitea_gitea | >= 0 < 1.25.4 | 1.25.4 |
CVSS provenance
nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
vendor_redhat9.1CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Gitea does not properly validate project ownership in organization project operations in code.gitea.io/gitea
osv·2026-02-02
CVE-2026-20750 Gitea does not properly validate project ownership in organization project operations in code.gitea.io/gitea
Gitea does not properly validate project ownership in organization project operations in code.gitea.io/gitea
Gitea does not properly validate project ownership in organization project operations in code.gitea.io/gitea
OSV
Gitea does not properly validate project ownership in organization project operations
osv·2026-01-23
CVE-2026-20750 [MEDIUM] Gitea does not properly validate project ownership in organization project operations
Gitea does not properly validate project ownership in organization project operations
Gitea does not properly validate project ownership in organization project operations. A user with project write access in one organization may be able to modify projects belonging to a different organization.
GHSA
Gitea does not properly validate project ownership in organization project operations
ghsa·2026-01-23
CVE-2026-20750 [MEDIUM] CWE-284 Gitea does not properly validate project ownership in organization project operations
Gitea does not properly validate project ownership in organization project operations
Gitea does not properly validate project ownership in organization project operations. A user with project write access in one organization may be able to modify projects belonging to a different organization.
Red Hat
gitea: Gitea Organization Projects Cross-Organization Authorization Bypass via Project ID (IDOR)
vendor_redhat·2026-01-22·CVSS 9.1
CVE-2026-20750 [CRITICAL] CWE-284 gitea: Gitea Organization Projects Cross-Organization Authorization Bypass via Project ID (IDOR)
gitea: Gitea Organization Projects Cross-Organization Authorization Bypass via Project ID (IDOR)
Gitea does not properly validate project ownership in organization project operations. A user with project write access in one organization may be able to modify projects belonging to a different organization.
An access control flaw has been discovered in Gitea. Gitea does not properly validate project ownership in organization project operations. A user with project write access in one organization may be able to modify projects belonging to a different organization.
Mitigation: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation
No detection rules found.
No public exploits indexed.
https://blog.gitea.com/release-of-1.25.4/https://github.com/go-gitea/gitea/pull/36318https://github.com/go-gitea/gitea/pull/36373https://github.com/go-gitea/gitea/releases/tag/v1.25.4https://github.com/go-gitea/gitea/security/advisories/GHSA-h4fh-pc4w-8w27https://access.redhat.com/security/cve/CVE-2026-20750https://bugzilla.redhat.com/show_bug.cgi?id=2432216https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-20750.json
2026-01-22
Published