Description
Gitea versions before 1.25.5 look up tracked-time entries by time ID without scoping the lookup to the issue in the request URL, allowing deletion attempts to target entries from another issue.
Published: 2026-07-03
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Gitea versions prior to 1.25.5 perform a lookup of tracked‑time entries solely by the time identifier, failing to constrain the lookup to the issue specified in the request URL. This flaw allows a user to issue a deletion request that targets a tracked‑time entry belonging to a different issue, effectively removing data that may be outside the user’s intended scope. The vulnerability is a classic authorization bypass and is represented by CWE‑639. If leveraged, an attacker could erase time tracking information, disrupt project reporting, and compromise data integrity for multiple issues across the repository. There is no evidence of a public exploit, the EPSS score is < 1 %, and the CVE is not listed in the CISA KEV catalog. The lack of a CVSS score and exploit data suggests the risk is primarily tied to privilege misuse in an authenticated context, but without a publicly known exploit it remains a moderate to high risk for organizations using pre‑1.25.5 Gitea deployments and relying on tracked‑time data for accountability or billing.

Affected Systems

All releases of Gitea Open Source Git Server before version 1.25.5 are affected. This includes every publicly available open‑source release of the Gitea Git server that lacks the patch applied in version 1.25.5 and later, regardless of the deployment environment.

Risk and Exploitability

The vulnerability can be exercised through the tracked‑time deletion API or web interface by providing a time ID that points to an entry belonging to a different issue. Because the lookup is not scoped to the issue in the request URL, a user who can delete tracked‑time entries for one issue can delete entries for any other issue, assuming they have chosen a valid time identifier. This constitutes an authorization bypass that allows a malicious authenticated user to tamper with time tracking data across the repository. The CVE data does not include a CVSS score, and the EPSS score is < 1 %, but the absence of a published exploit and the lack of KEV listing suggest the exploitation likelihood is moderate. Nevertheless, the impact on data integrity and accountability can be significant for organizations that rely on tracked‑time for billing or reporting, so the overall risk is considered moderate to high.

Generated by OpenCVE AI on July 6, 2026 at 09:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Gitea to version 1.25.5 or later to fix the issue
  • If an upgrade cannot be performed immediately, restrict API permissions so that only users with explicit issue‑level access may delete tracked‑time entries, and audit deletion logs for anomalous activity
  • Review and restore any tracked‑time records that may have been incorrectly deleted after applying the fix

Generated by OpenCVE AI on July 6, 2026 at 09:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 03 Jul 2026 20:45:00 +0000

Type Values Removed Values Added
Description Gitea versions before 1.25.5 look up tracked-time entries by time ID without scoping the lookup to the issue in the request URL, allowing deletion attempts to target entries from another issue.
Title Gitea tracked-time deletion can target entries from another issue
Weaknesses CWE-639
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Gitea

Published:

Updated: 2026-07-03T20:19:33.790Z

Reserved: 2026-02-22T15:13:33.711Z

Link: CVE-2026-25782

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-06T01:00:05Z

Weaknesses
  • CWE-639

    Authorization Bypass Through User-Controlled Key