CVE-2026-20897

CVE-2026-20897: Gitea Git LFS Lock Deletion Broken Access Control (Cross-Repo IDOR)

Vendor Gitea

Product Gitea Open Source Git Server

Weakness CWE-284

Published January 22, 2026

Last update June 29, 2026

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

01Description

Gitea does not properly validate repository ownership when deleting Git LFS locks. A user with write access to one repository may be able to delete LFS locks belonging to other repositories.

Key dates

02Disclosure timeline

January 22, 2026 CVE published

June 29, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-20897 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/284.html

Related vulnerabilities

04Related CVE

CVE-2025-21197 Windows NTFS Information Disclosure Vulnerability CVE-2022-4814 Improper Access Control in usememos/memos CVE-2023-24546 CVE-2026-45177 Idira Secrets Manager SaaS Edge: Authentication Bypass of an internal validation mechanism CVE-2021-42359 WP DSGVO Tools (GDPR) <= 3.1.23 Unauthenticated Arbitrary Post Deletion