Description
Gitea versions before 1.25.5 have insufficient permission checks when listing tracked time entries.
Published: 2026-07-03
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability involves insufficient authorization checks when listing tracked time entries. Because the endpoint does not verify that the requester has permission to view the time records, any user who can reach the Gitea instance can potentially pull the entire list. This flaw aligns with CWE‑284, an improper authorization weakness. The exposed information includes user activity logs and project‑specific work hours, which may reveal sensitive development or billing data.

Affected Systems

All installations of Gitea Open Source Git Server with a version earlier than 1.25.5 are affected, regardless of the hosting environment. The flaw is present in the tracked‑time API endpoint. Upgrading to 1.25.5 or any later release removes the weakness.

Risk and Exploitability

The EPSS score is less than 1 %, indicating a very low probability of exploitation. No CVSS score is reported, and the vulnerability is not listed in the CISA KEV catalog. Nevertheless, an attacker who can reach the API simply needs to issue a request to the endpoint; no special credentials or privileged access appear to be required beyond those that let the user hit the endpoint. The impact is a disclosure of confidential activity logs, with no immediate effect on availability or integrity, but it could aid further attacks by providing intelligence on project personnel and workload. The overall risk can be considered moderate, especially for deployments that expose the endpoint to untrusted or external users.

Generated by OpenCVE AI on July 6, 2026 at 00:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Gitea to version 1.25.5 or later.
  • If an upgrade cannot be performed immediately, disable the tracked‑time feature or restrict the endpoint to project members only.
  • Review and reconfigure any custom permission settings to ensure the endpoint is only accessible to authorized users.

Generated by OpenCVE AI on July 6, 2026 at 00:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 03 Jul 2026 20:45:00 +0000

Type Values Removed Values Added
Description Gitea versions before 1.25.5 have insufficient permission checks when listing tracked time entries.
Title Gitea tracked-time list endpoint has insufficient permission checks
Weaknesses CWE-284
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Gitea

Published:

Updated: 2026-07-03T20:19:29.943Z

Reserved: 2026-02-22T15:13:33.704Z

Link: CVE-2026-20909

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-06T01:00:05Z

Weaknesses