Description
Gitea does not properly validate ownership when toggling OpenID URI visibility. An authenticated user may be able to change the visibility settings of other users' OpenID identities.
Published: 2026-01-22
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized OpenID visibility modification
Action: Immediate Patch
AI Analysis

Impact

Gitea fails to enforce proper ownership checks when an authenticated user toggles the visibility of an OpenID URI. As a result, a user can alter the visibility settings of another user’s OpenID identity, potentially exposing or concealing that identifier from unintended audiences. This vulnerability represents a broken access control flaw (CWE‑284) combined with an authority misuse issue (CWE‑639). The impact is the unauthorized manipulation of user identity exposure, which can lead to privacy violations and weaken the trust model of the platform. The CVE description does not indicate any code execution or data exfiltration beyond visibility changes.

Affected Systems

Gitea Open Source Git Server versions without the 1.25.4 patch. Versions prior to the release that fixes the ownership validation are at risk. No specific version range is listed in the CNA data, so all installations before the patch are susceptible.

Risk and Exploitability

The CVSS score of 6.5 classifies the vulnerability as medium severity. The EPSS score is below 1%, indicating a very low probability of exploitation in the wild, and the issue is not recorded in the CISA KEV catalog. The likely attack vector requires the attacker to be an authenticated user on the target system; no remote code execution or unauthenticated access is required. Nevertheless, the impact on user privacy and trust warrants prompt attention.

Generated by OpenCVE AI on April 18, 2026 at 15:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Gitea to version 1.25.4 or later, which includes the fix for the OpenID visibility toggle.
  • If an upgrade cannot be applied immediately, configure all OpenID URIs to be private or disable the visibility toggle feature to prevent unauthorized changes.
  • Verify that ordinary users can no longer modify the visibility of other users’ OpenID identities by testing the UI or using API calls with a standard account.

Generated by OpenCVE AI on April 18, 2026 at 15:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-qqgv-v353-cv8p Gitea does not properly validate ownership when toggling OpenID URI visibility
History

Thu, 29 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:gitea:gitea:*:*:*:*:*:-:*:*

Tue, 27 Jan 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Fri, 23 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Gitea
Gitea gitea
Vendors & Products Gitea
Gitea gitea

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Description Gitea does not properly validate ownership when toggling OpenID URI visibility. An authenticated user may be able to change the visibility settings of other users' OpenID identities.
Title Gitea: Broken access control in OpenID visibility toggle enables cross-user visibility changes
Weaknesses CWE-284
CWE-639
References

Subscriptions

Gitea Gitea
cve-icon MITRE

Status: PUBLISHED

Assigner: Gitea

Published:

Updated: 2026-01-23T21:53:53.397Z

Reserved: 2026-01-08T23:02:37.537Z

Link: CVE-2026-20904

cve-icon Vulnrichment

Updated: 2026-01-23T17:52:26.545Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-22T22:16:19.130

Modified: 2026-01-29T22:03:08.750

Link: CVE-2026-20904

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-01-22T22:01:51Z

Links: CVE-2026-20904 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T15:30:03Z

Weaknesses