CVE-2026-20883 — Improper Access Control in Gitea

CWE-284 — Improper Access Control6 documents5 sources

Severity

6.5MEDIUMNVD

EPSS

0.0%

top 98.00%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Code.gitea.io Gitea Github.com Go-gitea Gitea Gitea +1 more

Timeline

PublishedJan 22

Latest updateFeb 2

Description

Gitea's stopwatch API does not re-validate repository access permissions. After a user's access to a private repository is revoked, they may still view issue titles and repository names through previously started stopwatches.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages4 packages

▶NVDgitea/gitea< 1.25.4

▶Gocode.gitea.io/gitea< 1.25.4

▶Gogithub.com/go-gitea_gitea< 1.25.4

▶CVEListV5gitea/gitea_open_source_git_server1.25.3

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

Gitea improperly exposes issue titles and repository names through previously started stopwatches in code.gitea.io/gitea↗2026-02-02

▶

GHSA

Gitea improperly exposes issue titles and repository names through previously started stopwatches↗2026-01-23

▶

OSV

Gitea improperly exposes issue titles and repository names through previously started stopwatches↗2026-01-23

▶

📋Vendor Advisories

Red Hat

gitea: Gitea Stopwatch API Missing Authorization Check Leads to Post-Revocation Information Disclosure↗2026-01-22

▶

🕵️Threat Intelligence

Wiz

CVE-2026-20883 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶