CVE-2026-20897
published 2026-01-22CVE-2026-20897: Gitea does not properly validate repository ownership when deleting Git LFS locks. A user with write access to one repository may be able to delete LFS locks…
PriorityP353critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
EPSS
0.41%
33.2th percentile
Gitea does not properly validate repository ownership when deleting Git LFS locks. A user with write access to one repository may be able to delete LFS locks belonging to other repositories.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| code.gitea.io | gitea | >= 0 < 1.25.4 | 1.25.4 |
| gitea | gitea | < 1.25.4 | 1.25.4 |
| gitea | gitea_open_source_git_server | <= 1.25.3 | — |
| github.com | go-gitea_gitea | >= 0 < 1.25.4 | 1.25.4 |
CVSS provenance
nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
vendor_redhat9.1CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Gitea does not properly validate repository ownership when deleting Git LFS locks in code.gitea.io/gitea
osv·2026-02-02
CVE-2026-20897 Gitea does not properly validate repository ownership when deleting Git LFS locks in code.gitea.io/gitea
Gitea does not properly validate repository ownership when deleting Git LFS locks in code.gitea.io/gitea
Gitea does not properly validate repository ownership when deleting Git LFS locks in code.gitea.io/gitea
GHSA
Gitea does not properly validate repository ownership when deleting Git LFS locks
ghsa·2026-01-23
CVE-2026-20897 [MEDIUM] CWE-284 Gitea does not properly validate repository ownership when deleting Git LFS locks
Gitea does not properly validate repository ownership when deleting Git LFS locks
Gitea does not properly validate repository ownership when deleting Git LFS locks. A user with write access to one repository may be able to delete LFS locks belonging to other repositories.
OSV
Gitea does not properly validate repository ownership when deleting Git LFS locks
osv·2026-01-23
CVE-2026-20897 [MEDIUM] Gitea does not properly validate repository ownership when deleting Git LFS locks
Gitea does not properly validate repository ownership when deleting Git LFS locks
Gitea does not properly validate repository ownership when deleting Git LFS locks. A user with write access to one repository may be able to delete LFS locks belonging to other repositories.
Red Hat
gitea: Gitea Git LFS Lock Deletion Broken Access Control (Cross-Repo IDOR)
vendor_redhat·2026-01-22·CVSS 9.1
CVE-2026-20897 [CRITICAL] CWE-639 gitea: Gitea Git LFS Lock Deletion Broken Access Control (Cross-Repo IDOR)
gitea: Gitea Git LFS Lock Deletion Broken Access Control (Cross-Repo IDOR)
Gitea does not properly validate repository ownership when deleting Git LFS locks. A user with write access to one repository may be able to delete LFS locks belonging to other repositories.
An access control flaw has been discovered in Gitea. Gitea does not properly validate repository ownership when deleting Git LFS locks. A user with write access to one repository may be able to delete LFS locks belonging to other repositories.
Mitigation: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Package: openshift-pipelines/pipelines-o
No detection rules found.
No public exploits indexed.
https://blog.gitea.com/release-of-1.25.4/https://github.com/go-gitea/gitea/pull/36344https://github.com/go-gitea/gitea/pull/36349https://github.com/go-gitea/gitea/releases/tag/v1.25.4https://github.com/go-gitea/gitea/security/advisories/GHSA-rrq5-r9h5-pc7chttps://access.redhat.com/security/cve/CVE-2026-20897https://bugzilla.redhat.com/show_bug.cgi?id=2432204https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-20897.json
2026-01-22
Published