Cyber Resilience

CVE-2026-20897

CriticalUpdated

Published: 22 January 2026

Published
22 January 2026
Modified
27 June 2026
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0037 28.5th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-20897 is a critical-severity Improper Access Control (CWE-284) vulnerability in Gitea Gitea. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 28.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-24 (Access Control Decisions) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2026-20897 is a vulnerability in Gitea, an open-source self-hosted Git service, affecting the validation of repository ownership during the deletion of Git LFS (Large File Storage) locks. The issue stems from improper access controls, classified under CWE-284 (Improper Access Control) and CWE-639 (Authorization Bypass Through User-Controlled Key). Published on 2026-01-22, it carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), indicating critical severity with high impacts on confidentiality and integrity but no availability impact.

A user with write access to any repository within a Gitea instance can exploit this flaw to delete Git LFS locks belonging to other repositories they do not own. Exploitation requires network access and low complexity, enabling remote attackers to interfere with LFS file operations across repositories, potentially disrupting collaborative workflows, forcing re-uploads, or enabling unauthorized modifications to locked large files.

Gitea released version 1.25.4 to address the vulnerability, as announced in their blog post and release notes, with fixes implemented in pull requests #36344 and #36349. The official security advisory (GHSA-rrq5-r9h5-pc7c) recommends upgrading to 1.25.4 or later to mitigate the issue, emphasizing proper validation of repository ownership in LFS lock deletion endpoints.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Gitea does not properly validate repository ownership when deleting Git LFS locks. A user with write access to one repository may be able to delete LFS locks belonging to other repositories.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Vulnerability in public-facing Gitea web app enables remote exploitation via authorization bypass on LFS lock deletion.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-20912Same product: Gitea Gitea
CVE-2026-20750Same product: Gitea Gitea
CVE-2026-20736Same product: Gitea Gitea
CVE-2026-21447Shared CWE-284, CWE-639
CVE-2026-25758Shared CWE-284, CWE-639
CVE-2025-62166Shared CWE-284, CWE-639
CVE-2026-27449Shared CWE-284, CWE-639
CVE-2026-7198Shared CWE-284
CVE-2026-46818Shared CWE-284
CVE-2025-70363Shared CWE-284

Affected Assets

gitea
gitea
≤ 1.25.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires enforcement of approved authorizations, preventing users with write access to one repository from deleting LFS locks in other repositories they do not own.

prevent

Mandates that access control decisions for LFS lock deletions correctly validate repository ownership, addressing the improper authorization bypass.

prevent

Enforces least privilege to restrict write access strictly to authorized repositories, mitigating cross-repository LFS lock manipulation.

References