CVE-2026-20897
Published: 22 January 2026
Summary
CVE-2026-20897 is a critical-severity Improper Access Control (CWE-284) vulnerability in Gitea Gitea. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 3.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-24 (Access Control Decisions) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires enforcement of approved authorizations, preventing users with write access to one repository from deleting LFS locks in other repositories they do not own.
Mandates that access control decisions for LFS lock deletions correctly validate repository ownership, addressing the improper authorization bypass.
Enforces least privilege to restrict write access strictly to authorized repositories, mitigating cross-repository LFS lock manipulation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in public-facing Gitea web app enables remote exploitation via authorization bypass on LFS lock deletion.
NVD Description
Gitea does not properly validate repository ownership when deleting Git LFS locks. A user with write access to one repository may be able to delete LFS locks belonging to other repositories.
Deeper analysisAI
CVE-2026-20897 is a vulnerability in Gitea, an open-source self-hosted Git service, affecting the validation of repository ownership during the deletion of Git LFS (Large File Storage) locks. The issue stems from improper access controls, classified under CWE-284 (Improper Access Control) and CWE-639 (Authorization Bypass Through User-Controlled Key). Published on 2026-01-22, it carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), indicating critical severity with high impacts on confidentiality and integrity but no availability impact.
A user with write access to any repository within a Gitea instance can exploit this flaw to delete Git LFS locks belonging to other repositories they do not own. Exploitation requires network access and low complexity, enabling remote attackers to interfere with LFS file operations across repositories, potentially disrupting collaborative workflows, forcing re-uploads, or enabling unauthorized modifications to locked large files.
Gitea released version 1.25.4 to address the vulnerability, as announced in their blog post and release notes, with fixes implemented in pull requests #36344 and #36349. The official security advisory (GHSA-rrq5-r9h5-pc7c) recommends upgrading to 1.25.4 or later to mitigate the issue, emphasizing proper validation of repository ownership in LFS lock deletion endpoints.
Details
- CWE(s)