CVE-2026-20912
CriticalCVSS 9.1Exploitation Probability (EPSS)
Low risk33th percentile - higher than 33% of all known CVEs
Summary
A vulnerability in Gitea allows improper linking of attachments to releases due to missing validation of repository ownership. An attachment uploaded to a private repository could be linked to a release in a different public repository, leading to unauthorized access.
Risk Assessment
The risk involves data leakage from private repositories to public ones, potentially exposing confidential information to unauthorized users.
Recommendation
Update Gitea to the latest version that includes a fix for repository ownership validation when linking attachments to releases.
Original NVD description (English source)
Gitea does not properly validate repository ownership when linking attachments to releases. An attachment uploaded to a private repository could potentially be linked to a release in a different public repository, making it accessible to unauthorized users.

