CVE Catalog

CVE-2026-20912

CriticalCVSS 9.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.42%

33th percentile - higher than 33% of all known CVEs

Summary

A vulnerability in Gitea allows improper linking of attachments to releases due to missing validation of repository ownership. An attachment uploaded to a private repository could be linked to a release in a different public repository, leading to unauthorized access.

Risk Assessment

The risk involves data leakage from private repositories to public ones, potentially exposing confidential information to unauthorized users.

Recommendation

Update Gitea to the latest version that includes a fix for repository ownership validation when linking attachments to releases.

Original NVD description (English source)

Gitea does not properly validate repository ownership when linking attachments to releases. An attachment uploaded to a private repository could potentially be linked to a release in a different public repository, making it accessible to unauthorized users.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS