Ghost in the Repo: Deleting Gitea Attachments from the Grave
Vulnerability ID: CVE-2026-20736
CVSS Score: 7.5
Published: 2026-01-23
A logic flaw in Gitea's attachment handling allowed users to delete files from repositories they no longer had access to. If you uploaded it, you could kill it—even after being fired.
TL;DR
An Improper Access Control vulnerability in Gitea <= 1.25.3 allows a user to delete attachments they previously uploaded to a repository, even after their access to that repository has been revoked. By piggybacking on a request to a different repository they do control, attackers can purge critical evidence or release artifacts.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-284
- Attack Vector: Network
- CVSS v3.1: 7.5 (High)
- Affected Versions: <= 1.25.3
- Patch Version: 1.25.4
- Impact: Data Integrity Loss
Affected Systems
- Gitea self-hosted instances
-
Gitea: <= 1.25.3 (Fixed in:
1.25.4)
Code Analysis
Commit: fbea2c6
Fix attachment deletion permission check
if attach.RepoID != ctx.Repo.Repository.ID {
ctx.HTTPError(http.StatusBadRequest, "attachment does not belong to this repository")
return
}
Exploit Details
- Theory: Exploitation involves sending a cross-repository POST request with a known file UUID.
Mitigation Strategies
- Upgrade Gitea to version 1.25.4 or later immediately.
- Restrict public registration to prevent attackers from creating new 'pivot' repositories.
- Regularly audit attachment deletion logs for suspicious activity.
Remediation Steps:
- Backup your current Gitea database and configuration.
- Download the 1.25.4 binary or pull the latest docker image:
docker pull gitea/gitea:1.25.4. - Restart the Gitea service.
- Verify the version in the footer of the Gitea web interface.
References
Read the full report for CVE-2026-20736 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)