Description
Gitea may send release notification emails for private repositories to users whose access has been revoked. When a repository is changed from public to private, users who previously watched the repository may continue to receive release notifications, potentially disclosing release titles, tags, and content.
Published: 2026-01-22
Score: 3.5 Low
EPSS: < 1% Very Low
KEV: No
Impact: Private Repository Release Data Leak
Action: Patch
AI Analysis

Impact

Gitea can send release notification emails for private repositories to users whose access has been revoked after a repository is changed from public to private. The notification may reveal release titles, tags, and content, causing a leakage of confidential release information. The vulnerability is assessed as a disclosure of private data (confidentiality impact).

Affected Systems

The issue affects Gitea Open Source Git Server environments where a repository is made private after users have been granted watch access. The vulnerability applies to all versions of Gitea that had the described email notification behavior prior to the 1.25.4 release. No specific version range is identified beyond the pre‑1.25.4 builds.

Risk and Exploitability

The CVSS score of 3.5 classifies this as low severity, and the EPSS score of less than 1% indicates a very low probability of exploitation at the time of analysis. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is an incidental disclosure: a user who had access to a public repository now receives release emails for a private repository after permission changes, revealing release details. Because no remote execution or authentication bypass is required, the risk is limited to information leakage, and no complex prerequisites are needed.

Generated by OpenCVE AI on April 18, 2026 at 03:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Gitea to version 1.25.4 or later to apply the vendor fix for release notification leaks.
  • Review repository visibility settings and revoke watch or notification permissions for users who no longer require access.
  • Monitor outgoing release emails to ensure that no notifications are sent for private repositories to unintended recipients.

Generated by OpenCVE AI on April 18, 2026 at 03:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-8fwc-qjw5-rvgp Gitea may send release notification emails for private repositories to users whose access has been revoked
History

Thu, 29 Jan 2026 22:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:gitea:gitea:*:*:*:*:*:-:*:*

Tue, 27 Jan 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-497
References
Metrics threat_severity

None

 threat_severity

Low

Fri, 23 Jan 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 3.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Gitea
Gitea gitea
Vendors & Products Gitea
Gitea gitea

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Description Gitea may send release notification emails for private repositories to users whose access has been revoked. When a repository is changed from public to private, users who previously watched the repository may continue to receive release notifications, potentially disclosing release titles, tags, and content.
Title Gitea Release Email Notifications Leak Private Repository Release Details After Access Revocation
Weaknesses CWE-284
References

Subscriptions

Gitea Gitea
cve-icon MITRE

Status: PUBLISHED

Assigner: Gitea

Published:

Updated: 2026-01-23T16:49:04.309Z

Reserved: 2026-01-08T23:02:08.534Z

Link: CVE-2026-0798

cve-icon Vulnrichment

Updated: 2026-01-23T16:48:29.754Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-22T22:16:15.957

Modified: 2026-01-29T21:59:24.397

Link: CVE-2026-0798

cve-icon Redhat

Severity : Low

Publid Date: 2026-01-22T22:01:49Z

Links: CVE-2026-0798 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T03:45:21Z

Weaknesses