HIGHCVE-2026-20736Published 2026-01-22Modified 2026-01-23CNA Gitea

CVE-2026-20736: Gitea Web Attachment Deletion: Cross-Repository Unauthorized Deletion via Missing Repo Ownership Check

Gitea does not properly verify repository context when deleting attachments. A user who previously uploaded an attachment to a repository may be able to delete it after losing access to that repository by making the request through a different repository they can access.

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

Gitea / Gitea Open Source Git Server
≤ 1.25.3

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References

GitHub Security Advisory
GitHub Pull Request #36320
Gitea v1.25.4 Release
Gitea v1.25.4 Release Blog Post

Metrics