CVE-2026-20897

CVSS v3.1

9.1

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Name of the Vulnerable Software and Affected Versions Gitea (affected versions not specified)

Description Gitea does not correctly validate repository ownership during the deletion of Git LFS locks. This allows a user with write access to a repository to potentially delete LFS locks that belong to other repositories. The issue involves improper validation when deleting Git LFS locks.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Improper Access Control

IDOR

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-284CWE-639

Related Identifiers

BIT-GITEA-2026-20897

CVE-2026-20897

GHSA-393C-QGVJ-3XPH

GHSA-RRQ5-R9H5-PC7C

GO-2026-4363

SUSE-SU-2026:0403-1

Affected Products

Gitea

Red Os

CVE-2026-20897

Weakness Enumeration

Related Identifiers

Affected Products

References · 98