CVE-2026-20883
published 2026-01-22CVE-2026-20883: Gitea's stopwatch API does not re-validate repository access permissions. After a user's access to a private repository is revoked, they may still view issue…
PriorityP339medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
EPSS
0.33%
25.1th percentile
Gitea's stopwatch API does not re-validate repository access permissions. After a user's access to a private repository is revoked, they may still view issue titles and repository names through previously started stopwatches.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| code.gitea.io | gitea | >= 0 < 1.25.4 | 1.25.4 |
| gitea | gitea | < 1.25.4 | 1.25.4 |
| gitea | gitea_open_source_git_server | <= 1.25.3 | — |
| github.com | go-gitea_gitea | >= 0 < 1.25.4 | 1.25.4 |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
vendor_redhat6.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
gitea: Gitea Stopwatch API Missing Authorization Check Leads to Post-Revocation Information Disclosure
vendor_redhat·2026-01-22·CVSS 6.5
CVE-2026-20883 [MEDIUM] CWE-284 gitea: Gitea Stopwatch API Missing Authorization Check Leads to Post-Revocation Information Disclosure
gitea: Gitea Stopwatch API Missing Authorization Check Leads to Post-Revocation Information Disclosure
Gitea's stopwatch API does not re-validate repository access permissions. After a user's access to a private repository is revoked, they may still view issue titles and repository names through previously started stopwatches.
A missing authorization check has been discovered in Gitea. Gitea's stopwatch API does not re-validate repository access permissions. After a user's access to a private repository is revoked, they may still view issue titles and repository names through previously started stopwatches.
Mitigation: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployme
OSV
Gitea improperly exposes issue titles and repository names through previously started stopwatches in code.gitea.io/gitea
osv·2026-02-02
CVE-2026-20883 Gitea improperly exposes issue titles and repository names through previously started stopwatches in code.gitea.io/gitea
Gitea improperly exposes issue titles and repository names through previously started stopwatches in code.gitea.io/gitea
Gitea improperly exposes issue titles and repository names through previously started stopwatches in code.gitea.io/gitea
GHSA
Gitea improperly exposes issue titles and repository names through previously started stopwatches
ghsa·2026-01-23
CVE-2026-20883 [LOW] CWE-284 Gitea improperly exposes issue titles and repository names through previously started stopwatches
Gitea improperly exposes issue titles and repository names through previously started stopwatches
Gitea's stopwatch API does not re-validate repository access permissions. After a user's access to a private repository is revoked, they may still view issue titles and repository names through previously started stopwatches.
OSV
Gitea improperly exposes issue titles and repository names through previously started stopwatches
osv·2026-01-23
CVE-2026-20883 [LOW] Gitea improperly exposes issue titles and repository names through previously started stopwatches
Gitea improperly exposes issue titles and repository names through previously started stopwatches
Gitea's stopwatch API does not re-validate repository access permissions. After a user's access to a private repository is revoked, they may still view issue titles and repository names through previously started stopwatches.
No detection rules found.
No public exploits indexed.
2026-01-22
Published