Gitea's Ghost in the Machine: Leaking Private Release Notes via Zombie Watchers
Vulnerability ID: CVE-2026-0798
CVSS Score: 3.5
Published: 2026-01-23
A logic flaw in Gitea's notification system allowed unauthorized users—specifically 'watchers' who lost access or remained subscribed after a repository went private—to continue receiving detailed release emails containing private changelogs and tags.
TL;DR
If you fire an employee and revoke their Git access, they might still be watching your repo. In Gitea versions prior to 1.25.4, the release mailer didn't double-check permissions before hitting 'Send'. This resulted in private release notes, titles, and tags being broadcast to users who should have been locked out. The fix ensures permissions are validated at the moment of dispatch and wipes the watcher list when a repo goes private.
Technical Details
- CWE: CWE-284 (Improper Access Control)
- CVSS v3.1: 3.5 (Low)
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low (Requires previous access)
- Impact: Information Disclosure
Affected Systems
- Gitea < 1.25.4
-
Gitea: <= 1.25.3 (Fixed in:
1.25.4)
Code Analysis
Commit: b477610
Fix release notification permission check
func MakeRepoPrivate... repo_model.ClearRepoWatches(ctx, repo.ID)
Exploit Details
- N/A: No public exploit code needed; logic flaw is exploited by configuration state.
Mitigation Strategies
- Upgrade Gitea immediately to version 1.25.4 or later.
- If upgrading is not possible, manually audit the 'watchers' list on sensitive private repositories.
- Advise developers not to include sensitive credentials or specific architectural secrets in release notes.
Remediation Steps:
- Pull the latest docker image:
docker pull gitea/gitea:1.25.4 - Restart the Gitea service.
- Verify the fix by revoking a test user's access and ensuring they do not receive subsequent release emails.
References
Read the full report for CVE-2026-0798 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)