Back to search
CVE-2026-20736
Published: Jan 22, 2026
Modified: Jan 23, 2026
PUBLISHED
Description
Gitea does not properly verify repository context when deleting attachments. A user who previously uploaded an attachment to a repository may be able to delete it after losing access to that repository by making the request through a different repository they can access.
| Vendor | Product | Versions |
|---|---|---|
Gitea | Gitea Open Source Git Server | affected 0 - <= 1.25.3 |
Weaknesses (CWE)
References
GitHub Security Advisory
vendor-advisory
Gitea v1.25.4 Release
release-notes
Gitea v1.25.4 Release Blog Post
release-notes
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now