CVE-2026-20897
📋 TL;DR
CVE-2026-20897 is an improper access control vulnerability in Gitea where users with write access to any repository can delete Git LFS locks belonging to other repositories. This allows unauthorized modification of locked files across the entire Gitea instance. All Gitea instances with Git LFS enabled and multiple repositories are affected.
💻 Affected Systems
- Gitea
📦 What is this software?
Gitea by Gitea
⚠️ Risk & Real-World Impact
Worst Case
An attacker with write access to any repository could delete LFS locks across all repositories, potentially disrupting workflows, causing data corruption, or enabling unauthorized modifications to critical files.
Likely Case
Accidental or malicious deletion of LFS locks in repositories where the user shouldn't have access, leading to version control conflicts and workflow disruption.
If Mitigated
Minimal impact with proper repository access controls and monitoring, though the vulnerability still represents a privilege escalation risk.
🎯 Exploit Status
Exploitation requires authenticated user with write access to at least one repository. The vulnerability is straightforward to exploit once authenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.25.4
Vendor Advisory: https://github.com/go-gitea/gitea/security/advisories/GHSA-rrq5-r9h5-pc7c
Restart Required: Yes
Instructions:
1. Backup your Gitea instance and database. 2. Download Gitea 1.25.4 or later from https://github.com/go-gitea/gitea/releases. 3. Stop the Gitea service. 4. Replace the Gitea binary with the new version. 5. Restart the Gitea service. 6. Verify the version shows 1.25.4 or higher.
🔧 Temporary Workarounds
Disable Git LFS
allTemporarily disable Git LFS functionality to prevent exploitation while planning upgrade.
Set [lfs] ENABLED = false in app.ini configuration file
Restrict Repository Access
allLimit users to only necessary repository access to reduce attack surface.
Review and tighten repository permissions in Gitea admin panel
🧯 If You Can't Patch
- Implement strict repository access controls to limit which users have write access
- Monitor Git LFS lock deletion logs for suspicious activity across repository boundaries
🔍 How to Verify
Check if Vulnerable:
Check if Gitea version is below 1.25.4 and Git LFS is enabled in app.ini configuration.Check Version:
./gitea --version or check Admin Panel → Configuration → AboutVerify Fix Applied:
Verify Gitea version is 1.25.4 or higher and test that users cannot delete LFS locks from repositories they don't own.📡 Detection & Monitoring
Log Indicators:
- Unauthorized LFS lock deletions across repository boundaries
- Users deleting locks from repositories they don't own
Network Indicators:
- Unusual patterns of LFS API calls from single users across multiple repositories
SIEM Query:
source="gitea.log" AND "DELETE" AND "/locks" AND repository_id!="expected_repository"