CVE-2026-20904

CVE-2026-20904: Gitea: Broken access control in OpenID visibility toggle enables cross-user visibility changes

Vendor Gitea
Product Gitea Open Source Git Server
Weakness CWE-284
Published January 22, 2026
Last update January 23, 2026

CVSS base score

What the vulnerability does

01Description

Gitea does not properly validate ownership when toggling OpenID URI visibility. An authenticated user may be able to change the visibility settings of other users' OpenID identities.

Key dates

02Disclosure timeline

January 22, 2026 CVE published
January 23, 2026 Record updated