{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-20912", "assignerOrgId": "88ee5874-cf24-4952-aea0-31affedb7ff2", "state": "PUBLISHED", "assignerShortName": "Gitea", "dateReserved": "2026-01-08T23:02:37.548Z", "datePublished": "2026-01-22T22:01:52.026Z", "dateUpdated": "2026-01-23T21:53:41.649Z"}, "containers": {"cna": {"affected": [{"vendor": "Gitea", "product": "Gitea Open Source Git Server", "versions": [{"version": "0", "lessThanOrEqual": "1.25.3", "status": "affected", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Gitea does not properly validate repository ownership when linking attachments to releases. An attachment uploaded to a private repository could potentially be linked to a release in a different public repository, making it accessible to unauthorized users."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-284", "description": "CWE-284: Improper Access Control", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-639", "description": "CWE-639: Authorization Bypass Through User-Controlled Key", "lang": "en", "type": "CWE"}]}], "references": [{"url": "https://github.com/go-gitea/gitea/security/advisories/GHSA-vfmv-f93v-37mw", "name": "GitHub Security Advisory", "tags": ["vendor-advisory"]}, {"url": "https://github.com/go-gitea/gitea/pull/36320", "name": "GitHub Pull Request #36320", "tags": ["patch"]}, {"url": "https://github.com/go-gitea/gitea/pull/36355", "name": "GitHub Pull Request #36355", "tags": ["patch"]}, {"url": "https://github.com/go-gitea/gitea/releases/tag/v1.25.4", "name": "Gitea v1.25.4 Release", "tags": ["release-notes"]}, {"url": "https://blog.gitea.com/release-of-1.25.4/", "name": "Gitea v1.25.4 Release Blog Post", "tags": ["release-notes"]}], "credits": [{"lang": "en", "value": "spingARbor", "type": "reporter"}], "title": "Gitea: Cross-Repository Authorization Bypass via Release Attachment Linking Leads to Private Attachment Disclosure", "providerMetadata": {"orgId": "88ee5874-cf24-4952-aea0-31affedb7ff2", "shortName": "Gitea", "dateUpdated": "2026-01-22T22:01:52.026Z"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-01-23T17:51:12.073308Z", "id": "CVE-2026-20912", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-23T21:53:41.649Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-20912", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-23T17:51:12.073308Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-23T17:51:26.556Z"}}], "cna": {"title": "Gitea: Cross-Repository Authorization Bypass via Release Attachment Linking Leads to Private Attachment Disclosure", "credits": [{"lang": "en", "type": "reporter", "value": "spingARbor"}], "affected": [{"vendor": "Gitea", "product": "Gitea Open Source Git Server", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.25.3"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/go-gitea/gitea/security/advisories/GHSA-vfmv-f93v-37mw", "name": "GitHub Security Advisory", "tags": ["vendor-advisory"]}, {"url": "https://github.com/go-gitea/gitea/pull/36320", "name": "GitHub Pull Request #36320", "tags": ["patch"]}, {"url": "https://github.com/go-gitea/gitea/pull/36355", "name": "GitHub Pull Request #36355", "tags": ["patch"]}, {"url": "https://github.com/go-gitea/gitea/releases/tag/v1.25.4", "name": "Gitea v1.25.4 Release", "tags": ["release-notes"]}, {"url": "https://blog.gitea.com/release-of-1.25.4/", "name": "Gitea v1.25.4 Release Blog Post", "tags": ["release-notes"]}], "descriptions": [{"lang": "en", "value": "Gitea does not properly validate repository ownership when linking attachments to releases. An attachment uploaded to a private repository could potentially be linked to a release in a different public repository, making it accessible to unauthorized users."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284: Improper Access Control"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639: Authorization Bypass Through User-Controlled Key"}]}], "providerMetadata": {"orgId": "88ee5874-cf24-4952-aea0-31affedb7ff2", "shortName": "Gitea", "dateUpdated": "2026-01-22T22:01:52.026Z"}}}, "cveMetadata": {"cveId": "CVE-2026-20912", "state": "PUBLISHED", "dateUpdated": "2026-01-23T21:53:41.649Z", "dateReserved": "2026-01-08T23:02:37.548Z", "assignerOrgId": "88ee5874-cf24-4952-aea0-31affedb7ff2", "datePublished": "2026-01-22T22:01:52.026Z", "assignerShortName": "Gitea"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:gitea:gitea:*:*:*:*:*:-:*:*", "matchCriteriaId": "DFCB7D74-331D-4582-AB41-113A25BE8FAA", "versionEndExcluding": "1.25.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Gitea does not properly validate repository ownership when linking attachments to releases. An attachment uploaded to a private repository could potentially be linked to a release in a different public repository, making it accessible to unauthorized users."}], "id": "CVE-2026-20912", "lastModified": "2026-01-29T22:03:58.330", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-01-22T22:16:19.297", "references": [{"source": "88ee5874-cf24-4952-aea0-31affedb7ff2", "tags": ["Release Notes"], "url": "https://blog.gitea.com/release-of-1.25.4/"}, {"source": "88ee5874-cf24-4952-aea0-31affedb7ff2", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/go-gitea/gitea/pull/36320"}, {"source": "88ee5874-cf24-4952-aea0-31affedb7ff2", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/go-gitea/gitea/pull/36355"}, {"source": "88ee5874-cf24-4952-aea0-31affedb7ff2", "tags": ["Release Notes"], "url": "https://github.com/go-gitea/gitea/releases/tag/v1.25.4"}, {"source": "88ee5874-cf24-4952-aea0-31affedb7ff2", "tags": ["Broken Link"], "url": "https://github.com/go-gitea/gitea/security/advisories/GHSA-vfmv-f93v-37mw"}], "sourceIdentifier": "88ee5874-cf24-4952-aea0-31affedb7ff2", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}, {"lang": "en", "value": "CWE-639"}], "source": "88ee5874-cf24-4952-aea0-31affedb7ff2", "type": "Secondary"}]}

{"bugzilla": {"description": "gitea: Gitea: Cross-Repository Authorization Bypass via Release Attachment Linking Leads to Private Attachment Disclosure", "id": "2432219", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2432219"}, "csaw": false, "cvss3": {"cvss3_base_score": "9.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "status": "draft"}, "cwe": "(CWE-284|CWE-639)", "details": ["Gitea does not properly validate repository ownership when linking attachments to releases. An attachment uploaded to a private repository could potentially be linked to a release in a different public repository, making it accessible to unauthorized users."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-20912", "package_state": [{"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Not affected", "package_name": "openshift-pipelines/pipelines-opc-rhel9", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Not affected", "package_name": "openshift-pipelines/pipelines-pipelines-as-code-cli-rhel8", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Not affected", "package_name": "openshift-pipelines/pipelines-pipelines-as-code-cli-rhel9", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Not affected", "package_name": "openshift-pipelines/pipelines-pipelines-as-code-controller-rhel8", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Not affected", "package_name": "openshift-pipelines/pipelines-pipelines-as-code-controller-rhel9", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Not affected", "package_name": "openshift-pipelines/pipelines-pipelines-as-code-watcher-rhel8", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Not affected", "package_name": "openshift-pipelines/pipelines-pipelines-as-code-watcher-rhel9", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Not affected", "package_name": "openshift-pipelines/pipelines-pipelines-as-code-webhook-rhel8", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Not affected", "package_name": "openshift-pipelines/pipelines-pipelines-as-code-webhook-rhel9", "product_name": "OpenShift Pipelines"}], "public_date": "2026-01-22T22:01:52Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-20912\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-20912\nhttps://blog.gitea.com/release-of-1.25.4/\nhttps://github.com/go-gitea/gitea/pull/36320\nhttps://github.com/go-gitea/gitea/pull/36355\nhttps://github.com/go-gitea/gitea/releases/tag/v1.25.4\nhttps://github.com/go-gitea/gitea/security/advisories/GHSA-vfmv-f93v-37mw"], "threat_severity": "Critical"}

{"created": "2026-01-23T10:27:11.839033+00:00", "updated": "2026-01-23T10:27:11.839069+00:00", "vendors": ["gitea", "gitea$PRODUCT$gitea"]}