Description
Gitea versions before 1.25.5 have insufficient visibility checks in organization permission APIs for hidden members and private organizations.
Published: 2026-07-03
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability results from insufficient visibility checks in organization permission APIs, permitting authenticated users to retrieve details about hidden members and private organizations. This leads to the unauthorized disclosure of sensitive visibility information, reflecting an access control weakness as identified by CWE-284.

Affected Systems

Gitea Open Source Git Server users running any version prior to 1.25.5 are affected. All deployments of the software before the 1.25.5 release are vulnerable to this flaw.

Risk and Exploitability

An EPSS score of <1% is available, but no CVSS score is provided, and the flaw is not listed in the CISA KEV catalog. Because the API calls require authentication, the likely attack vector is an authenticated or internal attacker. The lack of official exploitation data limits precise risk quantification, but the exposure of private visibility information enables compromised or malicious users to learn hidden membership details, potentially facilitating further exploit attempts. Detection and mitigation are therefore strongly advised.

Generated by OpenCVE AI on July 6, 2026 at 09:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Gitea to version 1.25.5 or later, which restores proper visibility checks in the organization permission APIs.
  • Enforce strict role-based access controls on the Gitea API so that only authorized roles can query organization membership and visibility data.
  • Monitor API logs for abnormal permission queries or repeated access to organization visibility endpoints and investigate any unexpected activity.

Generated by OpenCVE AI on July 6, 2026 at 09:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 03 Jul 2026 20:45:00 +0000

Type Values Removed Values Added
Description Gitea versions before 1.25.5 have insufficient visibility checks in organization permission APIs for hidden members and private organizations.
Title Gitea organization permission APIs expose private visibility information
Weaknesses CWE-284
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Gitea

Published:

Updated: 2026-07-03T20:19:32.421Z

Reserved: 2026-03-03T03:25:28.672Z

Link: CVE-2026-25712

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-06T01:00:05Z

Weaknesses