CVE-2026-20736

LOW SEVERITY

CVSS Score & Metrics

Base Score

7.5 / 10

Vector String

                                        CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N                                    

Vulnerability Description

Gitea does not properly verify repository context when deleting attachments. A user who previously uploaded an attachment to a repository may be able to delete it after losing access to that repository by making the request through a different repository they can access.

Vulnerability Details

Published Date

January 23, 2026

Last Modified

January 26, 2026

CWE ID

CWE-284

Source

GitHub

Vendor

Product

code.gitea.io/gitea

External References

https://nvd.nist.gov/vuln/detail/CVE-2026-20736
https://github.com/go-gitea/gitea/pull/36320
https://blog.gitea.com/release-of-1.25.4
https://github.com/go-gitea/gitea/releases/tag/v1.25.4
https://github.com/go-gitea/gitea/commit/fbea2c68e8df11cfa94e8ead913b79946780ed30
https://github.com/advisories/GHSA-hgr3-x44x-33hx

CVE-2026-20736

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment