Login Sign Up

CVE-2026-20912

9.1 CRITICAL
Authentication Bypass

📋 TL;DR

Gitea versions before 1.25.4 have an improper access control vulnerability where attachments uploaded to private repositories can be linked to releases in public repositories. This allows unauthorized users to access private files that should remain restricted. All Gitea instances running vulnerable versions are affected.

💻 Affected Systems

Products:
  • Gitea
Versions: All versions before 1.25.4
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: All Gitea deployments with both private and public repositories are vulnerable.

📦 What is this software?

Gitea by Gitea

View all CVEs affecting Gitea →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Sensitive files from private repositories are exposed to the public internet, potentially leaking confidential data, intellectual property, or credentials.

🟠

Likely Case

Accidental or targeted exposure of private repository attachments through public releases, leading to data leakage.

🟢

If Mitigated

Minimal impact if proper network segmentation and access controls limit exposure, but still violates repository isolation principles.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authenticated user access to upload attachments, but the vulnerability allows cross-repository linking that bypasses intended access controls.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.25.4

Vendor Advisory: https://github.com/go-gitea/gitea/security/advisories/GHSA-vfmv-f93v-37mw

Restart Required: Yes

Instructions:

1. Backup your Gitea instance and database. 2. Download Gitea 1.25.4 from official releases. 3. Stop Gitea service. 4. Replace binary with new version. 5. Restart Gitea service. 6. Verify version and functionality.

🔧 Temporary Workarounds

Disable release attachments

all

Temporarily disable the ability to attach files to releases to prevent exploitation.

# Modify app.ini to disable attachments
[attachment]
ENABLED = false

🧯 If You Can't Patch

  • Restrict user permissions to prevent unauthorized users from creating releases or uploading attachments.
  • Implement network-level controls to limit access to Gitea instance and monitor for suspicious attachment linking activity.

🔍 How to Verify

Check if Vulnerable:

Check Gitea version via web interface admin panel or run: ./gitea --version

Check Version:

./gitea --version

Verify Fix Applied:

Confirm version is 1.25.4 or later and test that private repository attachments cannot be linked to public releases.

📡 Detection & Monitoring

Log Indicators:

  • Unusual cross-repository attachment linking events
  • Multiple failed access attempts to private attachments from unauthorized users

Network Indicators:

  • Unexpected downloads of private repository attachments from public IPs

SIEM Query:

source="gitea.log" AND ("attachment" AND "release" AND "repository")

📊 Metadata

CVE ID: CVE-2026-20912
CVSS v3 Score: 9.1 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CWE: CWE-284
EPSS Score: 0.04% exploit probability (11.2th percentile)
Published: January 22, 2026
Last Updated: January 29, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-20912, you might also want to check these:

CVE-2021-34795 10.0

This critical vulnerability in Cisco Catalyst PON Series Switches ONT web management interface allow...

Same vulnerability type (CWE-284)
CVE-2021-40113 10.0

Multiple vulnerabilities in Cisco Catalyst PON Series Switches ONT web management interface allow un...

Same vulnerability type (CWE-284)
CVE-2026-21636 10.0

A critical vulnerability in Node.js v25's experimental permission model allows attacker-controlled i...

Same vulnerability type (CWE-284)