CVE-2026-20800Sensitive Information Exposure in Gitea

CWE-200Sensitive Information Exposure6 documents4 sources
Severity
6.5MEDIUMNVD
EPSS
0.0%
top 97.81%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Code.gitea.io GiteaGithub.com Go-gitea GiteaGitea+1 more
Timeline
PublishedJan 22
Latest updateFeb 2

Description

Gitea's notification API does not re-validate repository access permissions when returning notification details. After a user's access to a private repository is revoked, they may still view issue and pull request titles through previously received notifications.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages4 packages

NVDgitea/gitea< 1.25.4
Gocode.gitea.io/gitea< 1.25.4

Patches

Patch: github.com

🔴Vulnerability Details

3
OSV
Gitea improperly exposes issue and pull request titles in code.gitea.io/gitea2026-02-02
OSV
Gitea improperly exposes issue and pull request titles2026-01-23
GHSA
Gitea improperly exposes issue and pull request titles2026-01-23

🕵️Threat Intelligence

1
Wiz
CVE-2026-20800 Impact, Exploitability, and Mitigation Steps | Wiz