Impact
The vulnerability results from insufficient visibility checks in organization permission APIs, permitting authenticated users to retrieve details about hidden members and private organizations. This leads to the unauthorized disclosure of sensitive visibility information, reflecting an access control weakness as identified by CWE-284.
Affected Systems
Gitea Open Source Git Server users running any version prior to 1.25.5 are affected. All deployments of the software before the 1.25.5 release are vulnerable to this flaw.
Risk and Exploitability
An EPSS score of <1% is available, but no CVSS score is provided, and the flaw is not listed in the CISA KEV catalog. Because the API calls require authentication, the likely attack vector is an authenticated or internal attacker. The lack of official exploitation data limits precise risk quantification, but the exposure of private visibility information enables compromised or malicious users to learn hidden membership details, potentially facilitating further exploit attempts. Detection and mitigation are therefore strongly advised.
OpenCVE Enrichment