{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-20800", "assignerOrgId": "88ee5874-cf24-4952-aea0-31affedb7ff2", "state": "PUBLISHED", "assignerShortName": "Gitea", "dateReserved": "2026-01-08T23:02:37.571Z", "datePublished": "2026-01-22T22:01:50.368Z", "dateUpdated": "2026-01-23T21:54:29.961Z"}, "containers": {"cna": {"affected": [{"vendor": "Gitea", "product": "Gitea Open Source Git Server", "versions": [{"version": "0", "lessThanOrEqual": "1.25.3", "status": "affected", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Gitea's notification API does not re-validate repository access permissions when returning notification details. After a user's access to a private repository is revoked, they may still view issue and pull request titles through previously received notifications."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "lang": "en", "type": "CWE"}]}], "references": [{"url": "https://github.com/go-gitea/gitea/security/advisories/GHSA-g54m-9f6g-wj7q", "name": "GitHub Security Advisory", "tags": ["vendor-advisory"]}, {"url": "https://github.com/go-gitea/gitea/pull/36339", "name": "GitHub Pull Request #36339", "tags": ["patch"]}, {"url": "https://github.com/go-gitea/gitea/releases/tag/v1.25.4", "name": "Gitea v1.25.4 Release", "tags": ["release-notes"]}, {"url": "https://blog.gitea.com/release-of-1.25.4/", "name": "Gitea v1.25.4 Release Blog Post", "tags": ["release-notes"]}], "credits": [{"lang": "en", "value": "spingARbor", "type": "reporter"}], "title": "Notification API Leaks Private Repository Issue Titles After Collaborator Permission Revocation", "providerMetadata": {"orgId": "88ee5874-cf24-4952-aea0-31affedb7ff2", "shortName": "Gitea", "dateUpdated": "2026-01-22T22:01:50.368Z"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-01-23T21:11:32.615971Z", "id": "CVE-2026-20800", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-23T21:54:29.961Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"title": "Notification API Leaks Private Repository Issue Titles After Collaborator Permission Revocation", "credits": [{"lang": "en", "type": "reporter", "value": "spingARbor"}], "affected": [{"vendor": "Gitea", "product": "Gitea Open Source Git Server", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.25.3"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/go-gitea/gitea/security/advisories/GHSA-g54m-9f6g-wj7q", "name": "GitHub Security Advisory", "tags": ["vendor-advisory"]}, {"url": "https://github.com/go-gitea/gitea/pull/36339", "name": "GitHub Pull Request #36339", "tags": ["patch"]}, {"url": "https://github.com/go-gitea/gitea/releases/tag/v1.25.4", "name": "Gitea v1.25.4 Release", "tags": ["release-notes"]}, {"url": "https://blog.gitea.com/release-of-1.25.4/", "name": "Gitea v1.25.4 Release Blog Post", "tags": ["release-notes"]}], "descriptions": [{"lang": "en", "value": "Gitea's notification API does not re-validate repository access permissions when returning notification details. After a user's access to a private repository is revoked, they may still view issue and pull request titles through previously received notifications."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "88ee5874-cf24-4952-aea0-31affedb7ff2", "shortName": "Gitea", "dateUpdated": "2026-01-22T22:01:50.368Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-20800", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-23T21:11:32.615971Z"}}}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2026-01-23T21:11:43.328Z"}}]}, "cveMetadata": {"cveId": "CVE-2026-20800", "state": "PUBLISHED", "dateUpdated": "2026-01-22T22:01:50.368Z", "dateReserved": "2026-01-08T23:02:37.571Z", "assignerOrgId": "88ee5874-cf24-4952-aea0-31affedb7ff2", "datePublished": "2026-01-22T22:01:50.368Z", "assignerShortName": "Gitea"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:gitea:gitea:*:*:*:*:*:-:*:*", "matchCriteriaId": "DFCB7D74-331D-4582-AB41-113A25BE8FAA", "versionEndExcluding": "1.25.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Gitea's notification API does not re-validate repository access permissions when returning notification details. After a user's access to a private repository is revoked, they may still view issue and pull request titles through previously received notifications."}], "id": "CVE-2026-20800", "lastModified": "2026-01-29T21:57:04.013", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-01-22T22:16:17.540", "references": [{"source": "88ee5874-cf24-4952-aea0-31affedb7ff2", "tags": ["Release Notes"], "url": "https://blog.gitea.com/release-of-1.25.4/"}, {"source": "88ee5874-cf24-4952-aea0-31affedb7ff2", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/go-gitea/gitea/pull/36339"}, {"source": "88ee5874-cf24-4952-aea0-31affedb7ff2", "tags": ["Release Notes"], "url": "https://github.com/go-gitea/gitea/releases/tag/v1.25.4"}, {"source": "88ee5874-cf24-4952-aea0-31affedb7ff2", "tags": ["Broken Link"], "url": "https://github.com/go-gitea/gitea/security/advisories/GHSA-g54m-9f6g-wj7q"}], "sourceIdentifier": "88ee5874-cf24-4952-aea0-31affedb7ff2", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "88ee5874-cf24-4952-aea0-31affedb7ff2", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T03:33:02.406748+00:00", "value": {"mitigation_remediation": ["Upgrade Gitea to version 1.25.4 or later, which revises the permission checks in the notification API.", "Purge or delete existing notifications that contain titles of private issues for users whose access has been revoked.", "If an upgrade is not immediately possible, disable or restrict the notification endpoint for private repositories until a patch is applied."], "summary": {"action": "Patch", "impact": "Sensitive Data Exposure"}, "threat_synthesis": {"affected_systems": "The affected product is the Gitea Open Source Git Server. No specific version ranges are listed in the advisory, but the fix is included in the 1.25.4 release.", "description_and_impact": "The vulnerability arises from Gitea's notification API failing to re\u2011validate repository access when delivering notification details, allowing a user whose collaborator permission has been revoked to still view titles of issues and pull requests in private repositories. This exposure leaks internal project metadata, jeopardising confidentiality of development status and priorities. The weakness is a failure to enforce proper access control, classified as CWE\u2011200.", "risk_and_exploitability": "The CVSS score of 6.5 indicates moderate severity, while an EPSS score of less than 1% suggests the likelihood of exploitation is low. The vulnerability is not listed in the CISA KEV catalog, implying no known active exploitation. An attacker can exploit the flaw by accessing the notification endpoint after having been a collaborator, making the attacker only need a previously received notification, with no further privileges required."}}}}, "created": "2026-01-23T10:27:15.484913+00:00", "updated": "2026-04-18T03:45:21.070571+00:00", "vendors": ["gitea", "gitea$PRODUCT$gitea"]}