CVE-2026-20750

CRITICAL 9.1

Gitea Organization Projects Cross-Organization Authorization Bypass via Project ID (IDOR)

CVSS Score

9.1

EPSS Score

0.3%

EPSS Percentile

27th

Gitea does not properly validate project ownership in organization project operations. A user with project write access in one organization may be able to modify projects belonging to a different organization.

CWE	CWE-284
Vendor	gitea
Product	gitea open source git server
Published	Jan 22, 2026
Last Updated	Jun 27, 2026

Stay Ahead of the Next One

Get instant alerts for gitea gitea open source git server

Be the first to know when new critical vulnerabilities affecting gitea gitea open source git server are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Gitea / Gitea Open Source Git Server

0 ≤ 1.25.3

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/go-gitea/gitea/security/advisories/GHSA-h4fh-pc4w-8w27 github.com: https://github.com/go-gitea/gitea/pull/36318 github.com: https://github.com/go-gitea/gitea/pull/36373 github.com: https://github.com/go-gitea/gitea/releases/tag/v1.25.4 blog.gitea.com: https://blog.gitea.com/release-of-1.25.4/ access.redhat.com: https://access.redhat.com/security/cve/CVE-2026-20750 bugzilla.redhat.com: https://bugzilla.redhat.com/show_bug.cgi?id=2432216 security.access.redhat.com: https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-20750.json

Credits

🔍 spingARbor