CVE-2026-20883

LOW SEVERITY

CVSS Score & Metrics

Base Score

6.5 / 10

Vector String

                                        CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N                                    

Vulnerability Description

Gitea's stopwatch API does not re-validate repository access permissions. After a user's access to a private repository is revoked, they may still view issue titles and repository names through previously started stopwatches.

Vulnerability Details

Published Date

January 23, 2026

Last Modified

January 26, 2026

CWE ID

CWE-284

Source

GitHub

Vendor

Product

github.com/go-gitea/gitea

External References

https://nvd.nist.gov/vuln/detail/CVE-2026-20883
https://github.com/go-gitea/gitea/pull/36340
https://github.com/go-gitea/gitea/pull/36368
https://blog.gitea.com/release-of-1.25.4
https://github.com/go-gitea/gitea/releases/tag/v1.25.4
https://github.com/go-gitea/gitea/commit/95ea2df00a70176c516b12f3cfee8c84a310280f
https://github.com/advisories/GHSA-j8xr-c56q-m8jj

CVE-2026-20883

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment