id: GO-ID-PENDING
modules:
- module: code.gitea.io/gitea
versions:
- fixed: 1.25.4
vulnerable_at: 1.25.3
summary: |-
Gitea does not properly validate repository ownership when linking attachments
to releases in code.gitea.io/gitea
cves:
- CVE-2026-20912
ghsas:
- GHSA-4xx9-vc8v-87hv
references:
- advisory: https://github.com/advisories/GHSA-4xx9-vc8v-87hv
- advisory: https://nvd.nist.gov/vuln/detail/CVE-2026-20912
- fix: https://github.com/go-gitea/gitea/commit/fbea2c68e8df11cfa94e8ead913b79946780ed30
- fix: https://github.com/go-gitea/gitea/pull/36320
- fix: https://github.com/go-gitea/gitea/pull/36355
- web: https://blog.gitea.com/release-of-1.25.4
- web: https://github.com/go-gitea/gitea/releases/tag/v1.25.4
source:
id: GHSA-4xx9-vc8v-87hv
created: 2026-01-23T21:01:26.958059959Z
review_status: UNREVIEWED
Advisory GHSA-4xx9-vc8v-87hv references a vulnerability in the following Go modules:
Description:
Gitea does not properly validate repository ownership when linking attachments to releases. An attachment uploaded to a private repository could potentially be linked to a release in a different public repository, making it accessible to unauthorized users.
References:
Cross references:
See doc/quickstart.md for instructions on how to triage this report.