CVE-2026-20904 – This vulnerability in Gitea allows authenticate... (How to Fix)

Q: What is the severity of CVE-2026-20904?

CVE-2026-20904 has a CVSS score of 6.5 (MEDIUM). This vulnerability in Gitea allows authenticated users to modify the visibility settings of other users' OpenID identities due to improper ownership validation. It affects all Gitea instances running vulnerable versions. Attackers could expose or hide OpenID URIs belonging to other users.

📋 TL;DR

This vulnerability in Gitea allows authenticated users to modify the visibility settings of other users' OpenID identities due to improper ownership validation. It affects all Gitea instances running vulnerable versions. Attackers could expose or hide OpenID URIs belonging to other users.

💻 Affected Systems

Products:

Gitea

Versions: Versions before 1.25.4

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: All Gitea deployments with OpenID integration enabled are affected.

📦 What is this software?

Gitea by Gitea

View all CVEs affecting Gitea →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker could expose sensitive OpenID URIs of other users, potentially revealing personal information or enabling further attacks through identity association.

🟠

Likely Case

Malicious users could toggle visibility of other users' OpenID identities, causing confusion or minor privacy violations.

🟢

If Mitigated

With proper access controls and monitoring, impact is limited to visibility changes that can be audited and reversed.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Requires authenticated access but exploitation is straightforward once authenticated.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.25.4

Vendor Advisory: https://github.com/go-gitea/gitea/security/advisories/GHSA-jrpc-w85r-hgqx

Restart Required: Yes

Instructions:

1. Backup your Gitea instance. 2. Download Gitea 1.25.4 or later from official releases. 3. Stop Gitea service. 4. Replace binary with new version. 5. Restart Gitea service.

🔧 Temporary Workarounds

Disable OpenID Integration

all

Temporarily disable OpenID functionality to prevent exploitation

Modify app.ini to disable OpenID: [openid] ENABLE_OPENID_SIGNIN = false

🧯 If You Can't Patch

Implement strict access controls and monitor for unauthorized OpenID visibility changes
Disable OpenID functionality until patching is possible

🔍 How to Verify

Check if Vulnerable:

Check Gitea version: if version is less than 1.25.4, instance is vulnerable

Check Version:

./gitea --version

Verify Fix Applied:

Verify Gitea version is 1.25.4 or higher and test OpenID visibility functionality

📡 Detection & Monitoring

Log Indicators:

Unauthorized OpenID visibility toggle events in Gitea logs
Multiple OpenID visibility changes from single user

Network Indicators:

Unusual API calls to OpenID endpoints

SIEM Query:

source="gitea.log" AND "OpenID" AND "visibility" AND "toggle"

📊 Metadata

CVE ID: CVE-2026-20904

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

CWE: CWE-284

EPSS Score: 0.03% exploit probability (8th percentile)

Published: January 22, 2026

Last Updated: January 29, 2026

🔗 References

https://blog.gitea.com/release-of-1.25.4/ Release Notes
https://github.com/go-gitea/gitea/pull/36346 Issue Tracking,Patch
https://github.com/go-gitea/gitea/pull/36361 Issue Tracking,Patch
https://github.com/go-gitea/gitea/releases/tag/v1.25.4 Release Notes
https://github.com/go-gitea/gitea/security/advisories/GHSA-jrpc-w85r-hgqx Broken Link

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-20904, you might also want to check these: