CVE-2026-20912

CRITICAL 9.1

Gitea: Cross-Repository Authorization Bypass via Release Attachment Linking Leads to Private Attachment Disclosure

CVSS Score

9.1

EPSS Score

0.4%

EPSS Percentile

29th

Gitea does not properly validate repository ownership when linking attachments to releases. An attachment uploaded to a private repository could potentially be linked to a release in a different public repository, making it accessible to unauthorized users.

CWE	CWE-284 CWE-639
Vendor	gitea
Product	gitea open source git server
Published	Jan 22, 2026
Last Updated	Jun 27, 2026

Stay Ahead of the Next One

Get instant alerts for gitea gitea open source git server

Be the first to know when new critical vulnerabilities affecting gitea gitea open source git server are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Gitea / Gitea Open Source Git Server

0 ≤ 1.25.3

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/go-gitea/gitea/security/advisories/GHSA-vfmv-f93v-37mw github.com: https://github.com/go-gitea/gitea/pull/36320 github.com: https://github.com/go-gitea/gitea/pull/36355 github.com: https://github.com/go-gitea/gitea/releases/tag/v1.25.4 blog.gitea.com: https://blog.gitea.com/release-of-1.25.4/ access.redhat.com: https://access.redhat.com/security/cve/CVE-2026-20912 bugzilla.redhat.com: https://bugzilla.redhat.com/show_bug.cgi?id=2432219 security.access.redhat.com: https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-20912.json

Credits

🔍 spingARbor