CVE-2026-20800
📋 TL;DR
This vulnerability in Gitea allows users who have had their access to private repositories revoked to still view issue and pull request titles through previously received notifications. It affects Gitea instances where users have been removed from private repositories but still have notification history. This is an information disclosure vulnerability that exposes sensitive metadata.
💻 Affected Systems
- Gitea
📦 What is this software?
Gitea by Gitea
⚠️ Risk & Real-World Impact
Worst Case
Former collaborators could access sensitive issue/pull request titles from private repositories, potentially revealing confidential project details, security issues, or business intelligence.
Likely Case
Users who have been removed from private repositories can see titles of issues/PRs they previously had access to, potentially learning about ongoing work or sensitive topics.
If Mitigated
With proper access controls and monitoring, the impact is limited to metadata disclosure rather than full content access.
🎯 Exploit Status
Exploitation requires a valid user account that has been removed from a private repository but still has notification history.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.25.4
Vendor Advisory: https://github.com/go-gitea/gitea/security/advisories/GHSA-g54m-9f6g-wj7q
Restart Required: Yes
Instructions:
1. Backup your Gitea instance and database. 2. Download Gitea v1.25.4 or later from official releases. 3. Stop Gitea service. 4. Replace the Gitea binary with the new version. 5. Restart Gitea service. 6. Verify the version is updated.
🔧 Temporary Workarounds
Disable notifications API
allTemporarily disable the notifications API endpoint to prevent exploitation
# Modify Gitea configuration to restrict notifications API access
Clear notification history
allPeriodically clear notification history for users removed from repositories
# SQL query to delete notifications for users without repository access
🧯 If You Can't Patch
- Implement strict access monitoring and alert on users accessing notifications after repository removal
- Regularly audit and manually clear notification history for users with changed permissions
🔍 How to Verify
Check if Vulnerable:
Check if Gitea version is below 1.25.4 and if users removed from private repositories can still see notification titlesCheck Version:
./gitea --versionVerify Fix Applied:
After patching, verify that users removed from private repositories cannot see issue/PR titles in notifications📡 Detection & Monitoring
Log Indicators:
- Users accessing notifications API after repository access revocation
- Unusual notification access patterns
Network Indicators:
- API calls to /api/v1/notifications from users without current repository access
SIEM Query:
source="gitea" AND (uri_path="/api/v1/notifications") | join user_id FROM (source="gitea" AND event="repository_access_revoked") ON user_id