Description
Gitea 1.26.2 allows unauthorized users to access labels of private organizations.
Published: 2026-07-03
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in Gitea version 1.26.2 permits users who are not authenticated or do not belong to a private organization to retrieve the labels associated with that organization. This exposes internal project metadata, such as issue categorization or workflow tags, through data leakage. The weakness is categorized as CWE‑200 (Information Exposure) and CWE‑862 (Missing Authorization).

Affected Systems

The affected product is the Gitea Open Source Git Server, specifically the 1.26.2 release. Users running this revision are vulnerable until they upgrade to a fixed version such as 1.26.3 or later.

Risk and Exploitability

The EPSS score for this vulnerability is less than 1%, indicating a very low but non-zero probability of exploitation. It is not listed in the CISA KEV catalog. Attackers can exploit the exposed web interface or API to retrieve private organization labels without authentication. The ability to view internal metadata can help attackers map project structure, infer development workflows, and plan subsequent attacks.

Generated by OpenCVE AI on July 6, 2026 at 09:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Gitea server to version 1.26.3 or newer, which contains the fix for the disclosure.
  • Ensure that the Gitea instance requires authentication and uses HTTPS to prevent unauthenticated and eavesdropping traffic.
  • Restrict network access to the Gitea instance with firewall rules or network segmentation so that only trusted hosts can communicate with it.

Generated by OpenCVE AI on July 6, 2026 at 09:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 03 Jul 2026 20:45:00 +0000

Type Values Removed Values Added
Description Gitea 1.26.2 allows unauthorized users to access labels of private organizations.
Title Gitea private organization labels are visible to unauthorized users
Weaknesses CWE-200
CWE-862
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Gitea

Published:

Updated: 2026-07-03T20:19:32.042Z

Reserved: 2026-03-03T03:26:00.351Z

Link: CVE-2026-25038

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-06T01:00:05Z

Weaknesses
  • CWE-200

    Exposure of Sensitive Information to an Unauthorized Actor

  • CWE-862

    Missing Authorization