CVE-2026-20750 – Gitea contains an authorization bypass vulnerab... (How to Fix)

Q: What is the severity of CVE-2026-20750?

CVE-2026-20750 has a CVSS score of 9.1 (CRITICAL). Gitea contains an authorization bypass vulnerability where users with project write access in one organization can modify projects belonging to other organizations. This affects all Gitea instances with multiple organizations where users have cross-organization access. The vulnerability allows unauthorized project modifications across organizational boundaries.

📋 TL;DR

Gitea contains an authorization bypass vulnerability where users with project write access in one organization can modify projects belonging to other organizations. This affects all Gitea instances with multiple organizations where users have cross-organization access. The vulnerability allows unauthorized project modifications across organizational boundaries.

💻 Affected Systems

Products:

Gitea

Versions: All versions before 1.25.4

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects instances with multiple organizations and users who have project write access in at least one organization.

📦 What is this software?

Gitea by Gitea

View all CVEs affecting Gitea →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Malicious users could delete, modify, or inject malicious content into projects belonging to other organizations, potentially leading to data loss, code compromise, or supply chain attacks.

🟠

Likely Case

Users accidentally or intentionally modifying projects in organizations where they shouldn't have access, causing data integrity issues and unauthorized changes.

🟢

If Mitigated

Limited to users who already have some level of access within the Gitea instance, with audit trails potentially capturing unauthorized actions.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated user with project write access in at least one organization. The vulnerability is in authorization logic, making exploitation straightforward for users with some existing privileges.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.25.4

Vendor Advisory: https://github.com/go-gitea/gitea/security/advisories/GHSA-h4fh-pc4w-8w27

Restart Required: Yes

Instructions:

1. Backup your Gitea instance and database. 2. Download Gitea 1.25.4 from official releases. 3. Stop Gitea service. 4. Replace binary with new version. 5. Restart Gitea service. 6. Verify version shows 1.25.4.

🔧 Temporary Workarounds

Restrict User Access

all

Temporarily limit user permissions to only essential organizations and review all cross-organization access.

Audit Project Changes

all

Enable detailed audit logging and monitor for unauthorized project modifications across organizations.

# In app.ini: [log] LEVEL = Info
# Enable audit logging in Gitea settings

🧯 If You Can't Patch

Implement strict access controls and review all user permissions across organizations
Enable comprehensive audit logging and monitor for unauthorized project modifications

🔍 How to Verify

Check if Vulnerable:

Check if Gitea version is below 1.25.4 and instance has multiple organizations with users having cross-organization project write access.

Check Version:

./gitea --version or check Gitea web interface admin panel

Verify Fix Applied:

After patching, test that users can only modify projects in organizations where they have explicit write permissions.

📡 Detection & Monitoring

Log Indicators:

Unauthorized project modification attempts
User accessing projects outside their organization
Failed authorization checks for project operations

Network Indicators:

Unusual pattern of project API calls across different organizations

SIEM Query:

source="gitea" AND (event="project_modification" OR event="repository_update") AND organization_changed=true

📊 Metadata

CVE ID: CVE-2026-20750

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE: CWE-284

EPSS Score: 0.04% exploit probability (11.2th percentile)

Published: January 22, 2026

Last Updated: January 29, 2026

🔗 References

https://blog.gitea.com/release-of-1.25.4/ Release Notes
https://github.com/go-gitea/gitea/pull/36318 Issue Tracking,Patch
https://github.com/go-gitea/gitea/pull/36373 Issue Tracking,Patch
https://github.com/go-gitea/gitea/releases/tag/v1.25.4 Release Notes
https://github.com/go-gitea/gitea/security/advisories/GHSA-h4fh-pc4w-8w27 Broken Link

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-20750, you might also want to check these: