CVE-2026-20897
CriticalCVSS 9.1Exploitation Probability (EPSS)
Low risk33th percentile - higher than 33% of all known CVEs
Summary
A vulnerability in Gitea allows a user with write access to a repository to delete LFS locks belonging to other repositories. The issue stems from improper validation of repository ownership when deleting Git LFS locks.
Risk Assessment
An attacker can disrupt CI/CD processes or cause data loss in other repositories by unauthorized deletion of LFS locks.
Recommendation
It is recommended to immediately update Gitea to a version containing a fix for repository ownership validation when deleting LFS locks.
Original NVD description (English source)
Gitea does not properly validate repository ownership when deleting Git LFS locks. A user with write access to one repository may be able to delete LFS locks belonging to other repositories.

