Description
Gitea does not properly verify repository context when deleting attachments. A user who previously uploaded an attachment to a repository may be able to delete it after losing access to that repository by making the request through a different repository they can access.
Published: 2026-01-22
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized deletion of repository attachments
Action: Apply Patch
AI Analysis

Impact

A missing ownership check in Gitea allows a user who previously contributed to a repository to delete attachments from that repository after they have lost access to it. The deletion can be performed by sending a request in the context of another repository the user still can access, bypassing the intended restriction. Successful exploitation results in loss of data and can be used to remove evidence or tamper with the repository history. The weakness is a classic example of insufficient authorization controls (CWE‑284).

Affected Systems

The vulnerability affects Gitea, the open‑source Git hosting platform. All versions prior to the release of 1.25.4 are impacted, as the issue was fixed in that update. No version matrix is provided in the advisory, but it is understood that any Gitea instance using an older release is at risk.

Risk and Exploitability

The CVSS score of 7.5 classifies the issue as high severity. The EPSS score is below 1 %, indicating a very low probability of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. Attackers who can authenticate to a repository they no longer own, and who also have access to a different repository, may craft a deletion request that targets the former repository’s attachments. No special hardware or complex prerequisites are required; the flaw exploits a logical oversight in the permission checks that enables the cross‑repository deletion.

Generated by OpenCVE AI on April 18, 2026 at 03:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Gitea to version 1.25.4 or later, which includes the missing ownership check for attachment deletion.
  • Verify that the configuration only allows repository owners or administrators to delete attachments; audit any custom permission settings that might override the default behavior.
  • Monitor attachment deletion logs for anomalies and enforce stricter access controls on repositories to reduce the window of opportunity for misuse.

Generated by OpenCVE AI on April 18, 2026 at 03:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-hgr3-x44x-33hx Gitea has improper access control for uploaded attachments
History

Thu, 29 Jan 2026 22:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:gitea:gitea:*:*:*:*:*:-:*:*

Tue, 27 Jan 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Fri, 23 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Gitea
Gitea gitea
Vendors & Products Gitea
Gitea gitea

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Description Gitea does not properly verify repository context when deleting attachments. A user who previously uploaded an attachment to a repository may be able to delete it after losing access to that repository by making the request through a different repository they can access.
Title Gitea Web Attachment Deletion: Cross-Repository Unauthorized Deletion via Missing Repo Ownership Check
Weaknesses CWE-284
References

Subscriptions

Gitea Gitea
cve-icon MITRE

Status: PUBLISHED

Assigner: Gitea

Published:

Updated: 2026-01-23T21:54:48.862Z

Reserved: 2026-01-08T23:02:37.558Z

Link: CVE-2026-20736

cve-icon Vulnrichment

Updated: 2026-01-23T21:13:18.343Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-22T22:16:17.207

Modified: 2026-01-29T21:46:59.497

Link: CVE-2026-20736

cve-icon Redhat

Severity : Important

Publid Date: 2026-01-22T22:01:49Z

Links: CVE-2026-20736 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T03:45:21Z

Weaknesses