CVE-2026-20912

CVSS v3.1

9.1

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Name of the Vulnerable Software and Affected Versions Gitea (affected versions not specified)

Description The software does not correctly check ownership of repositories when managing attachments linked to releases. This can lead to a situation where an attachment from a private repository is incorrectly associated with a release in a public repository, potentially exposing the attachment to unauthorized access.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Improper Access Control

IDOR

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-284CWE-639

Related Identifiers

BIT-GITEA-2026-20912

CVE-2026-20912

GHSA-4XX9-VC8V-87HV

GHSA-VFMV-F93V-37MW

GO-2026-4364

SUSE-SU-2026:0403-1

Affected Products

Gitea

Red Os

CVE-2026-20912

Weakness Enumeration

Related Identifiers

Affected Products

References · 96