CVE-2026-20750
CriticalCVSS 9.1Exploitation Probability (EPSS)
Low risk31th percentile - higher than 31% of all known CVEs
Summary
Gitea does not properly validate project ownership in organization project operations. A user with project write access in one organization may be able to modify projects belonging to a different organization.
Risk Assessment
The risk involves unauthorized modification of projects across different organizations, potentially leading to data integrity and confidentiality breaches.
Recommendation
Update Gitea to a version that includes the fix for project ownership validation. As a temporary measure, restrict project access to trusted users only.
Original NVD description (English source)
Gitea does not properly validate project ownership in organization project operations. A user with project write access in one organization may be able to modify projects belonging to a different organization.

