CVE-2026-20750 (GCVE-0-2026-20750)
Vulnerability from cvelistv5 – Published: 2026-01-22 22:01 – Updated: 2026-06-29 12:34
VLAI
Title
Gitea Organization Projects Cross-Organization Authorization Bypass via Project ID (IDOR)
Summary
Gitea does not properly validate project ownership in organization project operations. A user with project write access in one organization may be able to modify projects belonging to a different organization.
Severity
9.1 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-284 - Improper Access Control
Assigner
References
8 references
| URL | Tags |
|---|---|
| https://github.com/go-gitea/gitea/security/adviso… | vendor-advisory |
| https://github.com/go-gitea/gitea/pull/36318 | patch |
| https://github.com/go-gitea/gitea/pull/36373 | patch |
| https://github.com/go-gitea/gitea/releases/tag/v1.25.4 | release-notes |
| https://blog.gitea.com/release-of-1.25.4/ | release-notes |
| https://access.redhat.com/security/cve/CVE-2026-20750 | vdb-entryx_refsource_REDHAT |
| https://bugzilla.redhat.com/show_bug.cgi?id=2432216 | issue-trackingx_refsource_REDHAT |
| https://security.access.redhat.com/data/csaf/v2/v… | x_sadp-csaf-vex |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Gitea | Gitea Open Source Git Server |
Affected:
0 , ≤ 1.25.3
(semver)
|
|
| Red Hat | OpenShift Pipelines |
cpe:/a:redhat:openshift_pipelines:1 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-20750",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-23T21:12:12.632348Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-23T21:54:39.525Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"affected": [
{
"cpes": [
"cpe:/a:redhat:openshift_pipelines:1"
],
"defaultStatus": "unaffected",
"product": "OpenShift Pipelines",
"vendor": "Red Hat"
}
],
"datePublic": "2026-01-22T22:01:49.948Z",
"descriptions": [
{
"lang": "en",
"value": "An access control flaw has been discovered in Gitea. Gitea does not properly validate project ownership in organization project operations. A user with project write access in one organization may be able to modify projects belonging to a different organization."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Critical"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-29T12:34:21.341Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-20750"
},
{
"name": "RHBZ#2432216",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2432216"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-20750.json"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-22T23:02:30.554Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-01-22T22:01:49.948Z",
"value": "Made public."
}
],
"title": "gitea: Gitea Organization Projects Cross-Organization Authorization Bypass via Project ID (IDOR)",
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Gitea Open Source Git Server",
"vendor": "Gitea",
"versions": [
{
"lessThanOrEqual": "1.25.3",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "spingARbor"
}
],
"descriptions": [
{
"lang": "en",
"value": "Gitea does not properly validate project ownership in organization project operations. A user with project write access in one organization may be able to modify projects belonging to a different organization."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-22T22:01:49.948Z",
"orgId": "88ee5874-cf24-4952-aea0-31affedb7ff2",
"shortName": "Gitea"
},
"references": [
{
"name": "GitHub Security Advisory",
"tags": [
"vendor-advisory"
],
"url": "https://github.com/go-gitea/gitea/security/advisories/GHSA-h4fh-pc4w-8w27"
},
{
"name": "GitHub Pull Request #36318",
"tags": [
"patch"
],
"url": "https://github.com/go-gitea/gitea/pull/36318"
},
{
"name": "GitHub Pull Request #36373",
"tags": [
"patch"
],
"url": "https://github.com/go-gitea/gitea/pull/36373"
},
{
"name": "Gitea v1.25.4 Release",
"tags": [
"release-notes"
],
"url": "https://github.com/go-gitea/gitea/releases/tag/v1.25.4"
},
{
"name": "Gitea v1.25.4 Release Blog Post",
"tags": [
"release-notes"
],
"url": "https://blog.gitea.com/release-of-1.25.4/"
}
],
"title": "Gitea Organization Projects Cross-Organization Authorization Bypass via Project ID (IDOR)"
}
},
"cveMetadata": {
"assignerOrgId": "88ee5874-cf24-4952-aea0-31affedb7ff2",
"assignerShortName": "Gitea",
"cveId": "CVE-2026-20750",
"datePublished": "2026-01-22T22:01:49.948Z",
"dateReserved": "2026-01-08T23:02:37.565Z",
"dateUpdated": "2026-06-29T12:34:21.341Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-20750",
"date": "2026-06-30",
"epss": "0.00392",
"percentile": "0.31027"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-20750\",\"sourceIdentifier\":\"88ee5874-cf24-4952-aea0-31affedb7ff2\",\"published\":\"2026-01-22T22:16:17.370\",\"lastModified\":\"2026-06-27T05:16:42.390\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Gitea does not properly validate project ownership in organization project operations. A user with project write access in one organization may be able to modify projects belonging to a different organization.\"},{\"lang\":\"es\",\"value\":\"Gitea no valida correctamente la titularidad de los proyectos en las operaciones de proyectos de la organizaci\u00f3n. Un usuario con permisos de escritura en proyectos de una organizaci\u00f3n podr\u00eda modificar proyectos pertenecientes a una organizaci\u00f3n diferente.\"}],\"affected\":[{\"source\":\"88ee5874-cf24-4952-aea0-31affedb7ff2\",\"affectedData\":[{\"vendor\":\"Gitea\",\"product\":\"Gitea Open Source Git Server\",\"defaultStatus\":\"unaffected\",\"versions\":[{\"version\":\"0\",\"lessThanOrEqual\":\"1.25.3\",\"versionType\":\"semver\",\"status\":\"affected\"}]}]},{\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\",\"affectedData\":[{\"vendor\":\"Red Hat\",\"product\":\"OpenShift Pipelines\",\"defaultStatus\":\"unaffected\",\"cpes\":[\"cpe:/a:redhat:openshift_pipelines:1\"]}]}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N\",\"baseScore\":9.1,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":5.2},{\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N\",\"baseScore\":9.1,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":5.2}],\"ssvcV203\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"ssvcData\":{\"timestamp\":\"2026-01-23T21:12:12.632348Z\",\"id\":\"CVE-2026-20750\",\"options\":[{\"exploitation\":\"none\"},{\"automatable\":\"yes\"},{\"technicalImpact\":\"total\"}],\"role\":\"CISA Coordinator\",\"version\":\"2.0.3\"}}]},\"weaknesses\":[{\"source\":\"88ee5874-cf24-4952-aea0-31affedb7ff2\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-284\"}]},{\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-284\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:gitea:gitea:*:*:*:*:*:-:*:*\",\"versionEndExcluding\":\"1.25.4\",\"matchCriteriaId\":\"DFCB7D74-331D-4582-AB41-113A25BE8FAA\"}]}]}],\"references\":[{\"url\":\"https://blog.gitea.com/release-of-1.25.4/\",\"source\":\"88ee5874-cf24-4952-aea0-31affedb7ff2\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://github.com/go-gitea/gitea/pull/36318\",\"source\":\"88ee5874-cf24-4952-aea0-31affedb7ff2\",\"tags\":[\"Issue Tracking\",\"Patch\"]},{\"url\":\"https://github.com/go-gitea/gitea/pull/36373\",\"source\":\"88ee5874-cf24-4952-aea0-31affedb7ff2\",\"tags\":[\"Issue Tracking\",\"Patch\"]},{\"url\":\"https://github.com/go-gitea/gitea/releases/tag/v1.25.4\",\"source\":\"88ee5874-cf24-4952-aea0-31affedb7ff2\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://github.com/go-gitea/gitea/security/advisories/GHSA-h4fh-pc4w-8w27\",\"source\":\"88ee5874-cf24-4952-aea0-31affedb7ff2\",\"tags\":[\"Broken Link\"]},{\"url\":\"https://access.redhat.com/security/cve/CVE-2026-20750\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=2432216\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-20750.json\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"gitea: Gitea Organization Projects Cross-Organization Authorization Bypass via Project ID (IDOR)\", \"metrics\": [{\"other\": {\"type\": \"Red Hat severity rating\", \"content\": {\"value\": \"Critical\", \"namespace\": \"https://access.redhat.com/security/updates/classification/\"}}}, {\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 9.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"cpes\": [\"cpe:/a:redhat:openshift_pipelines:1\"], \"vendor\": \"Red Hat\", \"product\": \"OpenShift Pipelines\", \"defaultStatus\": \"unaffected\"}], \"timeline\": [{\"lang\": \"en\", \"time\": \"2026-01-22T23:02:30.554Z\", \"value\": \"Reported to Red Hat.\"}, {\"lang\": \"en\", \"time\": \"2026-01-22T22:01:49.948Z\", \"value\": \"Made public.\"}], \"x_adpType\": \"supplier\", \"datePublic\": \"2026-01-22T22:01:49.948Z\", \"references\": [{\"url\": \"https://access.redhat.com/security/cve/CVE-2026-20750\", \"tags\": [\"vdb-entry\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=2432216\", \"name\": \"RHBZ#2432216\", \"tags\": [\"issue-tracking\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-20750.json\", \"tags\": [\"x_sadp-csaf-vex\"]}], \"x_generator\": {\"engine\": \"sadp-cli 1.0.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"An access control flaw has been discovered in Gitea. Gitea does not properly validate project ownership in organization project operations. A user with project write access in one organization may be able to modify projects belonging to a different organization.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-284\", \"description\": \"Improper Access Control\"}]}], \"providerMetadata\": {\"orgId\": \"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\", \"shortName\": \"redhat-SADP\", \"dateUpdated\": \"2026-06-29T12:34:21.341Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 9.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-20750\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-01-23T21:12:12.632348Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-01-23T21:12:23.797Z\"}}], \"cna\": {\"title\": \"Gitea Organization Projects Cross-Organization Authorization Bypass via Project ID (IDOR)\", \"credits\": [{\"lang\": \"en\", \"type\": \"reporter\", \"value\": \"spingARbor\"}], \"affected\": [{\"vendor\": \"Gitea\", \"product\": \"Gitea Open Source Git Server\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"1.25.3\"}], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://github.com/go-gitea/gitea/security/advisories/GHSA-h4fh-pc4w-8w27\", \"name\": \"GitHub Security Advisory\", \"tags\": [\"vendor-advisory\"]}, {\"url\": \"https://github.com/go-gitea/gitea/pull/36318\", \"name\": \"GitHub Pull Request #36318\", \"tags\": [\"patch\"]}, {\"url\": \"https://github.com/go-gitea/gitea/pull/36373\", \"name\": \"GitHub Pull Request #36373\", \"tags\": [\"patch\"]}, {\"url\": \"https://github.com/go-gitea/gitea/releases/tag/v1.25.4\", \"name\": \"Gitea v1.25.4 Release\", \"tags\": [\"release-notes\"]}, {\"url\": \"https://blog.gitea.com/release-of-1.25.4/\", \"name\": \"Gitea v1.25.4 Release Blog Post\", \"tags\": [\"release-notes\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Gitea does not properly validate project ownership in organization project operations. A user with project write access in one organization may be able to modify projects belonging to a different organization.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-284\", \"description\": \"CWE-284: Improper Access Control\"}]}], \"providerMetadata\": {\"orgId\": \"88ee5874-cf24-4952-aea0-31affedb7ff2\", \"shortName\": \"Gitea\", \"dateUpdated\": \"2026-01-22T22:01:49.948Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-20750\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-06-29T12:34:21.341Z\", \"dateReserved\": \"2026-01-08T23:02:37.565Z\", \"assignerOrgId\": \"88ee5874-cf24-4952-aea0-31affedb7ff2\", \"datePublished\": \"2026-01-22T22:01:49.948Z\", \"assignerShortName\": \"Gitea\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…