CVE-2026-20897

MEDIUM SEVERITY

CVSS Score & Metrics

Base Score

9.1 / 10

Vector String

                                        CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N                                    

Vulnerability Description

Gitea does not properly validate repository ownership when deleting Git LFS locks. A user with write access to one repository may be able to delete LFS locks belonging to other repositories.

Vulnerability Details

Published Date

January 23, 2026

Last Modified

January 26, 2026

CWE ID

CWE-284

Source

GitHub

Vendor

Product

github.com/go-gitea/gitea

External References

https://nvd.nist.gov/vuln/detail/CVE-2026-20897
https://github.com/go-gitea/gitea/pull/36344
https://github.com/go-gitea/gitea/pull/36349
https://blog.gitea.com/release-of-1.25.4
https://github.com/go-gitea/gitea/releases/tag/v1.25.4
https://github.com/go-gitea/gitea/commit/da036f3f35ca830b22cf4480912ed261303b798f
https://github.com/advisories/GHSA-393c-qgvj-3xph

CVE-2026-20897

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment