CVE-2026-20904

MEDIUM SEVERITY

CVSS Score & Metrics

Base Score

6.5 / 10

Vector String

                                        CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N                                    

Vulnerability Description

Gitea does not properly validate ownership when toggling OpenID URI visibility. An authenticated user may be able to change the visibility settings of other users' OpenID identities.

Vulnerability Details

Published Date

January 23, 2026

Last Modified

January 26, 2026

CWE ID

CWE-284

Source

GitHub

Vendor

Product

github.com/go-gitea/gitea

External References

https://nvd.nist.gov/vuln/detail/CVE-2026-20904
https://github.com/go-gitea/gitea/pull/36346
https://github.com/go-gitea/gitea/pull/36361
https://blog.gitea.com/release-of-1.25.4
https://github.com/go-gitea/gitea/releases/tag/v1.25.4
https://github.com/go-gitea/gitea/commit/ed5720af2ac94d74f822721c05b42b6148ff9c22
https://github.com/advisories/GHSA-qqgv-v353-cv8p

CVE-2026-20904

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment