CVE-2026-20912
Published: 22 January 2026
Summary
CVE-2026-20912 is a critical-severity Improper Access Control (CWE-284) vulnerability in Gitea Gitea. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 3.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-22 (Publicly Accessible Content) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces proper validation of repository ownership when linking attachments to releases, directly preventing unauthorized access to private attachments via public repositories.
Restricts private repository attachments from being linked to and exposed through public repository releases, mitigating public accessibility of unauthorized content.
Requires timely patching of the Gitea flaw (to version 1.25.4) to remediate the improper access control vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated exploit of public-facing Gitea service via authorization bypass to expose private attachments.
NVD Description
Gitea does not properly validate repository ownership when linking attachments to releases. An attachment uploaded to a private repository could potentially be linked to a release in a different public repository, making it accessible to unauthorized users.
Deeper analysisAI
CVE-2026-20912 affects Gitea, an open-source self-hosted Git service. The vulnerability stems from improper validation of repository ownership during the linking of attachments to releases, allowing an attachment uploaded to a private repository to be linked to a release in a different public repository. This exposes the attachment to unauthorized users who can access the public release. Published on 2026-01-22, it carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) and is associated with CWE-284 (Improper Access Control) and CWE-639 (Authorization Bypass Through User-Controlled Key).
Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no user interaction required. By linking a private repository attachment to a public repository's release, attackers achieve high confidentiality and integrity impacts, effectively bypassing intended intended intended intended intended making sensitive files publicly accessible without proper authorization.
Gitea advisories recommend upgrading to version 1.25.4, which includes fixes via pull requests #36320 and #36355. The security advisory GHSA-vfmv-f93v-37mw and release notes at the 1.25.4 tag detail the patches, while the blog post announces the secure release.
Details
- CWE(s)