CVE-2026-20736

CVE-2026-20736: Gitea Web Attachment Deletion: Cross-Repository Unauthorized Deletion via Missing Repo Ownership Check

Vendor Gitea
Product Gitea Open Source Git Server
Weakness CWE-284
Published January 22, 2026
Last update June 30, 2026

CVSS base score

What the vulnerability does

01Description

Gitea does not properly verify repository context when deleting attachments. A user who previously uploaded an attachment to a repository may be able to delete it after losing access to that repository by making the request through a different repository they can access.

Key dates

02Disclosure timeline

January 22, 2026 CVE published
June 30, 2026 Record updated