Impact
Gitea 1.26.2 allows a fork synchronization process to continue after a parent repository is changed from public to private, resulting in unauthorized disclosure of the private repository’s contents. The vulnerability is a classic information exposure problem that compromises confidentiality, compounded by improper authorization control. An attacker who already owns a fork can exploit the sync function to retrieve data that should no longer be accessible, effectively turning an otherwise private repository into a public data sink.
Affected Systems
The affected product is Gitea Open Source Git Server, version 1.26.2. The fix is delivered in version 1.26.3 and later. Users running the 1.26.2 release are at risk until they upgrade to the patched version.
Risk and Exploitability
The risk of exploitation is significant because any user with a fork of the repository can trigger the synchronization and obtain the previously private data. The EPSS score of < 1% indicates a very low likelihood of exploitation at this time, but the absence of a KEV listing does not diminish the potential impact. Based on the description, it can be inferred that the attack vector is a network‑based request to the fork synchronization API, and the vulnerability can be exercised without additional privileges beyond the fork owner. Security teams should consider the data exposure severity and the widespread use of Gitea when assessing their risk posture.
OpenCVE Enrichment