Impact
The vulnerability in Gitea version 1.26.2 permits users who are not authenticated or do not belong to a private organization to retrieve the labels associated with that organization. This exposes internal project metadata, such as issue categorization or workflow tags, through data leakage. The weakness is categorized as CWE‑200 (Information Exposure) and CWE‑862 (Missing Authorization).
Affected Systems
The affected product is the Gitea Open Source Git Server, specifically the 1.26.2 release. Users running this revision are vulnerable until they upgrade to a fixed version such as 1.26.3 or later.
Risk and Exploitability
The EPSS score for this vulnerability is less than 1%, indicating a very low but non-zero probability of exploitation. It is not listed in the CISA KEV catalog. Attackers can exploit the exposed web interface or API to retrieve private organization labels without authentication. The ability to view internal metadata can help attackers map project structure, infer development workflows, and plan subsequent attacks.
OpenCVE Enrichment