Cyber Resilience

CVE-2026-20912

CriticalUpdated

Published: 22 January 2026

Published
22 January 2026
Modified
27 June 2026
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0037 28.5th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-20912 is a critical-severity Improper Access Control (CWE-284) vulnerability in Gitea Gitea. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 28.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-22 (Publicly Accessible Content) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2026-20912 affects Gitea, an open-source self-hosted Git service. The vulnerability stems from improper validation of repository ownership during the linking of attachments to releases, allowing an attachment uploaded to a private repository to be linked to a release in a different public repository. This exposes the attachment to unauthorized users who can access the public release. Published on 2026-01-22, it carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) and is associated with CWE-284 (Improper Access Control) and CWE-639 (Authorization Bypass Through User-Controlled Key).

Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no user interaction required. By linking a private repository attachment to a public repository's release, attackers achieve high confidentiality and integrity impacts, effectively bypassing intended intended intended intended intended making sensitive files publicly accessible without proper authorization.

Gitea advisories recommend upgrading to version 1.25.4, which includes fixes via pull requests #36320 and #36355. The security advisory GHSA-vfmv-f93v-37mw and release notes at the 1.25.4 tag detail the patches, while the blog post announces the secure release.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Gitea does not properly validate repository ownership when linking attachments to releases. An attachment uploaded to a private repository could potentially be linked to a release in a different public repository, making it accessible to unauthorized users.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Remote unauthenticated exploit of public-facing Gitea service via authorization bypass to expose private attachments.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-20897Same product: Gitea Gitea
CVE-2026-20750Same product: Gitea Gitea
CVE-2026-20736Same product: Gitea Gitea
CVE-2026-21447Shared CWE-284, CWE-639
CVE-2026-25758Shared CWE-284, CWE-639
CVE-2025-62166Shared CWE-284, CWE-639
CVE-2026-27449Shared CWE-284, CWE-639
CVE-2026-7198Shared CWE-284
CVE-2026-46818Shared CWE-284
CVE-2025-70363Shared CWE-284

Affected Assets

gitea
gitea
≤ 1.25.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces proper validation of repository ownership when linking attachments to releases, directly preventing unauthorized access to private attachments via public repositories.

prevent

Restricts private repository attachments from being linked to and exposed through public repository releases, mitigating public accessibility of unauthorized content.

prevent

Requires timely patching of the Gitea flaw (to version 1.25.4) to remediate the improper access control vulnerability.

References