Impact
The vulnerability involves insufficient authorization checks when listing tracked time entries. Because the endpoint does not verify that the requester has permission to view the time records, any user who can reach the Gitea instance can potentially pull the entire list. This flaw aligns with CWE‑284, an improper authorization weakness. The exposed information includes user activity logs and project‑specific work hours, which may reveal sensitive development or billing data.
Affected Systems
All installations of Gitea Open Source Git Server with a version earlier than 1.25.5 are affected, regardless of the hosting environment. The flaw is present in the tracked‑time API endpoint. Upgrading to 1.25.5 or any later release removes the weakness.
Risk and Exploitability
The EPSS score is less than 1 %, indicating a very low probability of exploitation. No CVSS score is reported, and the vulnerability is not listed in the CISA KEV catalog. Nevertheless, an attacker who can reach the API simply needs to issue a request to the endpoint; no special credentials or privileged access appear to be required beyond those that let the user hit the endpoint. The impact is a disclosure of confidential activity logs, with no immediate effect on availability or integrity, but it could aid further attacks by providing intelligence on project personnel and workload. The overall risk can be considered moderate, especially for deployments that expose the endpoint to untrusted or external users.
OpenCVE Enrichment