Back to search
CVE-2026-20912
Published: Jan 22, 2026
Modified: Jan 23, 2026
PUBLISHED
Description
Gitea does not properly validate repository ownership when linking attachments to releases. An attachment uploaded to a private repository could potentially be linked to a release in a different public repository, making it accessible to unauthorized users.
| Vendor | Product | Versions |
|---|---|---|
Gitea | Gitea Open Source Git Server | affected 0 - <= 1.25.3 |
References
GitHub Security Advisory
vendor-advisory
Gitea v1.25.4 Release
release-notes
Gitea v1.25.4 Release Blog Post
release-notes
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now