CVE-2026-20883

Name of the Vulnerable Software and Affected Versions Gitea (affected versions not specified)

Description The stopwatch API in Gitea does not re-validate repository access permissions. This means that if a user’s access to a private repository is revoked, they may still be able to view issue titles and repository names through previously started stopwatches. The issue affects the ability to control access to repository information after permissions have been changed.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.