CVE-2026-20750

Summary

Gitea does not properly validate project ownership in organization project operations. A user with project write access in one organization may be able to modify projects belonging to a different organization.

Affected Software

VendorProductVersion RangeStatus
GiteaGitea Open Source Git Server0 <= 1.25.3affected

Weaknesses

  • CWE-284: CWE-284: Improper Access Control

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: total

gitea: Gitea Organization Projects Cross-Organization Authorization Bypass via Project ID (IDOR)

Additional References

References