CVE-2026-20904
published 2026-01-22CVE-2026-20904: Gitea does not properly validate ownership when toggling OpenID URI visibility. An authenticated user may be able to change the visibility settings of other…
PriorityP337medium6.5CVSS 3.1
AVNACLPRLUINSUCNIHAN
EPSS
0.28%
19.4th percentile
Gitea does not properly validate ownership when toggling OpenID URI visibility. An authenticated user may be able to change the visibility settings of other users' OpenID identities.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| code.gitea.io | gitea | >= 0 < 1.25.4 | 1.25.4 |
| gitea | gitea | < 1.25.4 | 1.25.4 |
| gitea | gitea_open_source_git_server | <= 1.25.3 | — |
| github.com | go-gitea_gitea | >= 0 < 1.25.4 | 1.25.4 |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
vendor_redhat6.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
gitea: Gitea: Broken access control in OpenID visibility toggle enables cross-user visibility changes
vendor_redhat·2026-01-22·CVSS 6.5
CVE-2026-20904 [MEDIUM] CWE-639 gitea: Gitea: Broken access control in OpenID visibility toggle enables cross-user visibility changes
gitea: Gitea: Broken access control in OpenID visibility toggle enables cross-user visibility changes
Gitea does not properly validate ownership when toggling OpenID URI visibility. An authenticated user may be able to change the visibility settings of other users' OpenID identities.
An access control flaw has been discovered in Gitea. Gitea does not properly validate ownership when toggling OpenID URI visibility. An authenticated user may be able to change the visibility settings of other users' OpenID identities.
Mitigation: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Package: openshift-pipelines/
OSV
Gitea does not properly validate ownership when toggling OpenID URI visibility in code.gitea.io/gitea
osv·2026-02-02
CVE-2026-20904 Gitea does not properly validate ownership when toggling OpenID URI visibility in code.gitea.io/gitea
Gitea does not properly validate ownership when toggling OpenID URI visibility in code.gitea.io/gitea
Gitea does not properly validate ownership when toggling OpenID URI visibility in code.gitea.io/gitea
OSV
Gitea does not properly validate ownership when toggling OpenID URI visibility
osv·2026-01-23
CVE-2026-20904 [MEDIUM] Gitea does not properly validate ownership when toggling OpenID URI visibility
Gitea does not properly validate ownership when toggling OpenID URI visibility
Gitea does not properly validate ownership when toggling OpenID URI visibility. An authenticated user may be able to change the visibility settings of other users' OpenID identities.
GHSA
Gitea does not properly validate ownership when toggling OpenID URI visibility
ghsa·2026-01-23
CVE-2026-20904 [MEDIUM] CWE-284 Gitea does not properly validate ownership when toggling OpenID URI visibility
Gitea does not properly validate ownership when toggling OpenID URI visibility
Gitea does not properly validate ownership when toggling OpenID URI visibility. An authenticated user may be able to change the visibility settings of other users' OpenID identities.
No detection rules found.
No public exploits indexed.
2026-01-22
Published