CVE-2026-20736
📋 TL;DR
This vulnerability in Gitea allows users who previously uploaded attachments to a repository to delete those attachments even after losing access to that repository. By making deletion requests through a different repository they still have access to, they can bypass proper authorization checks. This affects all Gitea instances running vulnerable versions.
💻 Affected Systems
- Gitea
📦 What is this software?
Gitea by Gitea
⚠️ Risk & Real-World Impact
Worst Case
Malicious users could delete critical attachments from repositories they no longer have access to, potentially causing data loss, disrupting workflows, or removing important documentation.
Likely Case
Former contributors or users with revoked access could delete their previously uploaded attachments from repositories, causing minor data loss or inconvenience.
If Mitigated
With proper access controls and monitoring, impact would be limited to non-critical attachments with minimal operational disruption.
🎯 Exploit Status
Exploitation requires authenticated access to at least one repository and knowledge of attachment IDs from previous repository access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.25.4
Vendor Advisory: https://github.com/go-gitea/gitea/security/advisories/GHSA-jr6h-pwwp-c8g6
Restart Required: Yes
Instructions:
1. Backup your Gitea instance and database. 2. Download Gitea 1.25.4 or later from official releases. 3. Stop Gitea service. 4. Replace the Gitea binary with the new version. 5. Restart Gitea service. 6. Verify the version is 1.25.4 or higher.
🔧 Temporary Workarounds
Disable attachment functionality
allTemporarily disable file attachments in Gitea configuration to prevent exploitation while planning upgrade.
Edit app.ini configuration file and set [attachment] ENABLED = false
🧯 If You Can't Patch
- Implement strict access control reviews and remove unnecessary user permissions
- Enable detailed logging for attachment deletion events and monitor for suspicious activity
🔍 How to Verify
Check if Vulnerable:
Check if Gitea version is below 1.25.4 by running the version command or checking the admin panel.Check Version:
./gitea --versionVerify Fix Applied:
After patching, verify the version is 1.25.4 or higher and test that users without repository access cannot delete attachments from that repository.📡 Detection & Monitoring
Log Indicators:
- Attachment deletion events where user ID doesn't match current repository access
- Multiple attachment deletions from different repositories by same user
Network Indicators:
- HTTP DELETE requests to /api/v1/repos/{owner}/{repo}/attachments/{id} with mismatched repository context
SIEM Query:
source="gitea.log" AND "attachment" AND "delete" AND NOT "success"