Description
Gitea's notification API does not re-validate repository access permissions when returning notification details. After a user's access to a private repository is revoked, they may still view issue and pull request titles through previously received notifications.
Published: 2026-01-22
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Sensitive Data Exposure
Action: Patch
AI Analysis

Impact

The vulnerability arises from Gitea's notification API failing to re‑validate repository access when delivering notification details, allowing a user whose collaborator permission has been revoked to still view titles of issues and pull requests in private repositories. This exposure leaks internal project metadata, jeopardising confidentiality of development status and priorities. The weakness is a failure to enforce proper access control, classified as CWE‑200.

Affected Systems

The affected product is the Gitea Open Source Git Server. No specific version ranges are listed in the advisory, but the fix is included in the 1.25.4 release.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity, while an EPSS score of less than 1% suggests the likelihood of exploitation is low. The vulnerability is not listed in the CISA KEV catalog, implying no known active exploitation. An attacker can exploit the flaw by accessing the notification endpoint after having been a collaborator, making the attacker only need a previously received notification, with no further privileges required.

Generated by OpenCVE AI on April 18, 2026 at 03:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Gitea to version 1.25.4 or later, which revises the permission checks in the notification API.
  • Purge or delete existing notifications that contain titles of private issues for users whose access has been revoked.
  • If an upgrade is not immediately possible, disable or restrict the notification endpoint for private repositories until a patch is applied.

Generated by OpenCVE AI on April 18, 2026 at 03:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-2vgv-hgv4-22mh Gitea improperly exposes issue and pull request titles
History

Thu, 29 Jan 2026 22:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:gitea:gitea:*:*:*:*:*:-:*:*

Fri, 23 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Gitea
Gitea gitea
Vendors & Products Gitea
Gitea gitea

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Description Gitea's notification API does not re-validate repository access permissions when returning notification details. After a user's access to a private repository is revoked, they may still view issue and pull request titles through previously received notifications.
Title Notification API Leaks Private Repository Issue Titles After Collaborator Permission Revocation
Weaknesses CWE-200
References

Subscriptions

Gitea Gitea
cve-icon MITRE

Status: PUBLISHED

Assigner: Gitea

Published:

Updated: 2026-01-23T21:54:29.961Z

Reserved: 2026-01-08T23:02:37.571Z

Link: CVE-2026-20800

cve-icon Vulnrichment

Updated: 2026-01-23T21:11:43.328Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-22T22:16:17.540

Modified: 2026-01-29T21:57:04.013

Link: CVE-2026-20800

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T03:45:21Z

Weaknesses