CVE-2026-20912

CVE-2026-20912: Gitea: Cross-Repository Authorization Bypass via Release Attachment Linking Leads to Private Attachment Disclosure

Vendor Gitea
Product Gitea Open Source Git Server
Weakness CWE-284
Published January 22, 2026
Last update June 29, 2026

CVSS base score

What the vulnerability does

01Description

Gitea does not properly validate repository ownership when linking attachments to releases. An attachment uploaded to a private repository could potentially be linked to a release in a different public repository, making it accessible to unauthorized users.

Key dates

02Disclosure timeline

January 22, 2026 CVE published
June 29, 2026 Record updated