DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-20750: Project Mayhem: Gitea Cross-Org IDOR (CVE-2026-20750)

#security #cve #cybersecurity

Project Mayhem: Gitea Cross-Org IDOR (CVE-2026-20750)

Vulnerability ID: CVE-2026-20750
CVSS Score: 9.1
Published: 2026-01-23

A critical IDOR vulnerability in Gitea allows attackers with project write access in one organization to modify or delete projects in completely unrelated organizations. It's a classic case of checking permissions for the wrong object.

TL;DR

If you have write access to any organization's projects on a Gitea instance (version <= 1.25.3), you can close, reopen, or delete any project on the entire server. This is a text-book Insecure Direct Object Reference (IDOR) where the application validates your permission to act, but fails to validate that the object you are acting upon belongs to your jurisdiction.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-284 (Improper Access Control)
  • Attack Vector: Network (AV:N)
  • CVSS v3.1: 9.1 (Critical)
  • Root Cause: Missing ownership validation on Project ID lookup
  • Prerequisites: Authenticated User, Write Access to ANY Organization Project
  • Exploit Status: High (Trivial Logic Flaw)

Affected Systems

  • Gitea Server
  • Gitea: <= 1.25.3 (Fixed in: 1.25.4)

Code Analysis

Commit: 7b5de59

Fix project ownership check in org routes

func ChangeProjectStatus(ctx *context.Context) {
-   id := ctx.PathParamInt64("id")
+   id := ctx.PathParamInt64("id")
+   project, err := project_model.GetProjectByIDAndOwner(ctx, id, ctx.ContextUser.ID)
+   if err != nil {
+       ctx.NotFoundOrServerError("GetProjectByID", project_model.IsErrProjectNotExist, err)
+       return
+   }
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • Hypothetical PoC: Exploitation involves sending an authenticated POST request to an organization project endpoint using a Project ID belonging to a different organization.

Mitigation Strategies

  • Upgrade Gitea to version 1.25.4 or later immediately.
  • Restrict 'Project Write' permissions in organizations to trusted users only until patched.
  • Monitor access logs for cross-reference anomalies (e.g., Referer header belonging to Org A while request target is Org B, though unreliable).

Remediation Steps:

  1. Stop the Gitea service.
  2. Download the 1.25.4 binary or pull the latest Docker image.
  3. Replace the binary/image.
  4. Restart the service.
  5. Verify the version in the footer.

References

Read the full report for CVE-2026-20750 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)