CVE-2026-20904 — Improper Access Control in Gitea

CWE-284 — Improper Access Control CWE-639 — Authorization Bypass Through User-Controlled Key6 documents5 sources

Severity

6.5MEDIUMNVD

EPSS

0.0%

top 97.92%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Code.gitea.io Gitea Github.com Go-gitea Gitea Gitea +1 more

Timeline

PublishedJan 22

Latest updateFeb 2

Description

Gitea does not properly validate ownership when toggling OpenID URI visibility. An authenticated user may be able to change the visibility settings of other users' OpenID identities.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages4 packages

▶NVDgitea/gitea< 1.25.4

▶Gocode.gitea.io/gitea< 1.25.4

▶Gogithub.com/go-gitea_gitea< 1.25.4

▶CVEListV5gitea/gitea_open_source_git_server1.25.3

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

Gitea does not properly validate ownership when toggling OpenID URI visibility in code.gitea.io/gitea↗2026-02-02

▶

OSV

Gitea does not properly validate ownership when toggling OpenID URI visibility↗2026-01-23

▶

GHSA

Gitea does not properly validate ownership when toggling OpenID URI visibility↗2026-01-23

▶

📋Vendor Advisories

Red Hat

gitea: Gitea: Broken access control in OpenID visibility toggle enables cross-user visibility changes↗2026-01-22

▶

🕵️Threat Intelligence

Wiz

CVE-2026-20904 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶