CVE-2026-20800
published 2026-01-22CVE-2026-20800: Gitea's notification API does not re-validate repository access permissions when returning notification details. After a user's access to a private repository…
PriorityP340medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
EPSS
0.34%
26.2th percentile
Gitea's notification API does not re-validate repository access permissions when returning notification details. After a user's access to a private repository is revoked, they may still view issue and pull request titles through previously received notifications.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| code.gitea.io | gitea | >= 0 < 1.25.4 | 1.25.4 |
| gitea | gitea | < 1.25.4 | 1.25.4 |
| gitea | gitea_open_source_git_server | <= 1.25.3 | — |
| github.com | go-gitea_gitea | >= 0 < 1.25.4 | 1.25.4 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Gitea improperly exposes issue and pull request titles in code.gitea.io/gitea
osv·2026-02-02
CVE-2026-20800 Gitea improperly exposes issue and pull request titles in code.gitea.io/gitea
Gitea improperly exposes issue and pull request titles in code.gitea.io/gitea
Gitea improperly exposes issue and pull request titles in code.gitea.io/gitea
OSV
Gitea improperly exposes issue and pull request titles
osv·2026-01-23
CVE-2026-20800 [LOW] Gitea improperly exposes issue and pull request titles
Gitea improperly exposes issue and pull request titles
Gitea's notification API does not re-validate repository access permissions when returning notification details. After a user's access to a private repository is revoked, they may still view issue and pull request titles through previously received notifications.
GHSA
Gitea improperly exposes issue and pull request titles
ghsa·2026-01-23
CVE-2026-20800 [LOW] CWE-200 Gitea improperly exposes issue and pull request titles
Gitea improperly exposes issue and pull request titles
Gitea's notification API does not re-validate repository access permissions when returning notification details. After a user's access to a private repository is revoked, they may still view issue and pull request titles through previously received notifications.
No detection rules found.
No public exploits indexed.
2026-01-22
Published