CVE-2026-20912
published 2026-01-22CVE-2026-20912: Gitea does not properly validate repository ownership when linking attachments to releases. An attachment uploaded to a private repository could potentially be…
PriorityP349critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
EPSS
0.41%
33.2th percentile
Gitea does not properly validate repository ownership when linking attachments to releases. An attachment uploaded to a private repository could potentially be linked to a release in a different public repository, making it accessible to unauthorized users.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| code.gitea.io | gitea | >= 0 < 1.25.4 | 1.25.4 |
| gitea | gitea | < 1.25.4 | 1.25.4 |
| gitea | gitea_open_source_git_server | <= 1.25.3 | — |
| github.com | go-gitea_gitea | >= 0 < 1.25.4 | 1.25.4 |
CVSS provenance
nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
vendor_redhat9.1CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Gitea does not properly validate repository ownership when linking attachments to releases in code.gitea.io/gitea
osv·2026-02-02
CVE-2026-20912 Gitea does not properly validate repository ownership when linking attachments to releases in code.gitea.io/gitea
Gitea does not properly validate repository ownership when linking attachments to releases in code.gitea.io/gitea
Gitea does not properly validate repository ownership when linking attachments to releases in code.gitea.io/gitea
GHSA
Gitea does not properly validate repository ownership when linking attachments to releases
ghsa·2026-01-23
CVE-2026-20912 [MEDIUM] CWE-284 Gitea does not properly validate repository ownership when linking attachments to releases
Gitea does not properly validate repository ownership when linking attachments to releases
Gitea does not properly validate repository ownership when linking attachments to releases. An attachment uploaded to a private repository could potentially be linked to a release in a different public repository, making it accessible to unauthorized users.
OSV
Gitea does not properly validate repository ownership when linking attachments to releases
osv·2026-01-23
CVE-2026-20912 [MEDIUM] Gitea does not properly validate repository ownership when linking attachments to releases
Gitea does not properly validate repository ownership when linking attachments to releases
Gitea does not properly validate repository ownership when linking attachments to releases. An attachment uploaded to a private repository could potentially be linked to a release in a different public repository, making it accessible to unauthorized users.
Red Hat
gitea: Gitea: Cross-Repository Authorization Bypass via Release Attachment Linking Leads to Private Attachment Disclosure
vendor_redhat·2026-01-22·CVSS 9.1
CVE-2026-20912 [CRITICAL] CWE-283 gitea: Gitea: Cross-Repository Authorization Bypass via Release Attachment Linking Leads to Private Attachment Disclosure
gitea: Gitea: Cross-Repository Authorization Bypass via Release Attachment Linking Leads to Private Attachment Disclosure
Gitea does not properly validate repository ownership when linking attachments to releases. An attachment uploaded to a private repository could potentially be linked to a release in a different public repository, making it accessible to unauthorized users.
An access control flaw has been discovered in Gitea. Gitea does not properly validate repository ownership when linking attachments to releases. An attachment uploaded to a private repository could potentially be linked to a release in a different public repository, making it accessible to unauthorized users.
Mitigation: Mitigation for this issue is either not available or the currently available options do not me
No detection rules found.
No public exploits indexed.
https://blog.gitea.com/release-of-1.25.4/https://github.com/go-gitea/gitea/pull/36320https://github.com/go-gitea/gitea/pull/36355https://github.com/go-gitea/gitea/releases/tag/v1.25.4https://github.com/go-gitea/gitea/security/advisories/GHSA-vfmv-f93v-37mwhttps://access.redhat.com/security/cve/CVE-2026-20912https://bugzilla.redhat.com/show_bug.cgi?id=2432219https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-20912.json
2026-01-22
Published