Description
Gitea's stopwatch API does not re-validate repository access permissions. After a user's access to a private repository is revoked, they may still view issue titles and repository names through previously started stopwatches.
Published: 2026-01-22
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Apply Patch
AI Analysis

Impact

Gitea’s stopwatch API fails to re‑validate repository permissions after a user’s access is revoked. The flaw falls under CWE‑284, an access control weakness, and allows an attacker to see issue titles and repository names that are otherwise hidden in private repositories. The disclosed information can aid reconnaissance of internal projects and potentially expose sensitive project metadata. The vulnerability does not provide executable code or direct data exfiltration beyond these metadata fields.

Affected Systems

All installations of the Gitea Open Source Git Server are potentially impacted. The specific product names and affected version ranges are not listed in the available data. Users should assume that any unpatched Gitea instance could be vulnerable until a fix is applied.

Risk and Exploitability

The CVSS score of 6.5 indicates a medium severity, and the EPSS score of less than 1% indicates a very low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. It is inferred that the attack vector requires an attacker to have previously authenticated and then to start a stopwatch before revocation or to use a previously started stopwatch that remains active after revocation. No additional external conditions are specified in the advisory, so the flaw appears to be exploitable only when an API call can be made to a repository that the user no longer owns access to.

Generated by OpenCVE AI on April 18, 2026 at 03:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Gitea to version 1.25.4 or later, which includes a fix for the stopwatch authorization check.
  • Disable the stopwatch feature or restrict its use to administrators to prevent accidental disclosure of private metadata.
  • Review and audit repository permission settings to ensure that access revocations are performed correctly and that no lingering API sessions remain active.

Generated by OpenCVE AI on April 18, 2026 at 03:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-j8xr-c56q-m8jj Gitea improperly exposes issue titles and repository names through previously started stopwatches
History

Thu, 29 Jan 2026 22:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:gitea:gitea:*:*:*:*:*:-:*:*

Tue, 27 Jan 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Fri, 23 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Gitea
Gitea gitea
Vendors & Products Gitea
Gitea gitea

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Description Gitea's stopwatch API does not re-validate repository access permissions. After a user's access to a private repository is revoked, they may still view issue titles and repository names through previously started stopwatches.
Title Gitea Stopwatch API Missing Authorization Check Leads to Post-Revocation Information Disclosure
Weaknesses CWE-284
References

Subscriptions

Gitea Gitea
cve-icon MITRE

Status: PUBLISHED

Assigner: Gitea

Published:

Updated: 2026-01-23T21:54:21.705Z

Reserved: 2026-01-08T23:02:37.553Z

Link: CVE-2026-20883

cve-icon Vulnrichment

Updated: 2026-01-23T21:10:57.579Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-22T22:16:17.713

Modified: 2026-01-29T21:58:25.013

Link: CVE-2026-20883

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-01-22T22:01:50Z

Links: CVE-2026-20883 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T03:45:21Z

Weaknesses