CVE Catalog

CVE-2026-20897

CriticalCVSS 9.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.42%

33th percentile - higher than 33% of all known CVEs

Summary

A vulnerability in Gitea allows a user with write access to a repository to delete LFS locks belonging to other repositories. The issue stems from improper validation of repository ownership when deleting Git LFS locks.

Risk Assessment

An attacker can disrupt CI/CD processes or cause data loss in other repositories by unauthorized deletion of LFS locks.

Recommendation

It is recommended to immediately update Gitea to a version containing a fix for repository ownership validation when deleting LFS locks.

Original NVD description (English source)

Gitea does not properly validate repository ownership when deleting Git LFS locks. A user with write access to one repository may be able to delete LFS locks belonging to other repositories.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS