CVE-2026-0798 – Gitea versions before 1.25.4 may send release n... (How to Fix)

Q: What is the severity of CVE-2026-0798?

CVE-2026-0798 has a CVSS score of 3.5 (LOW). Gitea versions before 1.25.4 may send release notification emails for private repositories to users whose access has been revoked. This information disclosure vulnerability affects organizations using Gitea where repositories transition from public to private, potentially exposing release details to unauthorized former watchers.

📋 TL;DR

Gitea versions before 1.25.4 may send release notification emails for private repositories to users whose access has been revoked. This information disclosure vulnerability affects organizations using Gitea where repositories transition from public to private, potentially exposing release details to unauthorized former watchers.

💻 Affected Systems

Products:

Gitea

Versions: All versions before 1.25.4

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Affects instances where email notifications are enabled and repositories transition from public to private with existing watchers.

📦 What is this software?

Gitea by Gitea

View all CVEs affecting Gitea →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Sensitive release information (titles, tags, content) from private repositories is disclosed to unauthorized users, potentially revealing confidential project details, release schedules, or intellectual property.

🟠

Likely Case

Former repository watchers receive notifications about releases they should no longer see, leading to unauthorized information disclosure about repository activity.

🟢

If Mitigated

No information disclosure occurs; only current authorized users receive notifications for private repositories.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: NO

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires a user to have previously watched a repository before it becomes private, then have their access revoked. The vulnerability triggers automatically when releases occur.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.25.4

Vendor Advisory: https://github.com/go-gitea/gitea/security/advisories/GHSA-f4wq-6ww5-m56p

Restart Required: Yes

Instructions:

1. Backup your Gitea instance and database. 2. Download Gitea 1.25.4 or later from https://github.com/go-gitea/gitea/releases. 3. Stop Gitea service. 4. Replace the Gitea binary with the new version. 5. Restart Gitea service. 6. Verify the version with 'gitea --version'.

🔧 Temporary Workarounds

Disable email notifications

all

Temporarily disable email notifications for releases to prevent information disclosure.

Edit app.ini configuration: [mailer] ENABLED = false
Restart Gitea: systemctl restart gitea

Remove all watchers before making repositories private

all

Manually remove all watchers from repositories before changing them from public to private.

🧯 If You Can't Patch

Audit all repositories that have transitioned from public to private and review who received notifications
Implement manual review processes for repository permission changes and notification recipients

🔍 How to Verify

Check if Vulnerable:

Check Gitea version: if version is less than 1.25.4, the system is vulnerable.

Check Version:

gitea --version

Verify Fix Applied:

After patching, verify version is 1.25.4 or higher and test that former watchers of now-private repositories no longer receive release notifications.

📡 Detection & Monitoring

Log Indicators:

Email notification logs showing emails sent to users for private repository releases
Access logs showing users accessing repository data after access revocation

Network Indicators:

SMTP traffic containing release notifications for private repositories

SIEM Query:

source="gitea.logs" AND "release notification" AND "private repository"

📊 Metadata

CVE ID: CVE-2026-0798

CVSS v3 Score: 3.5 (LOW)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N

CWE: CWE-284

EPSS Score: 0.03% exploit probability (6.3th percentile)

Published: January 22, 2026

Last Updated: January 29, 2026

🔗 References

https://blog.gitea.com/release-of-1.25.4/ Release Notes
https://github.com/go-gitea/gitea/pull/36319 Issue Tracking,Patch
https://github.com/go-gitea/gitea/releases/tag/v1.25.4 Release Notes
https://github.com/go-gitea/gitea/security/advisories/GHSA-f4wq-6ww5-m56p Broken Link

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-0798, you might also want to check these: