The Ghost in the API: Gitea's Zombie Notification Leak (CVE-2026-20800)
Vulnerability ID: CVE-2026-20800
CVSS Score: 6.5
Published: 2026-01-23
A classic logic flaw in Gitea's notification system allows users to view metadata of private repositories they no longer have access to. By failing to re-validate permissions at the time of API retrieval, Gitea effectively allowed 'zombie' access to sensitive issue and PR titles.
TL;DR
If you kick a user out of a private Gitea repository, they shouldn't see what happens next. Due to a failure to check permissions during notification retrieval, removed users could still see the titles of new Issues and Pull Requests via the API. Fixed in version 1.25.4.
Technical Details
- CWE: CWE-862 (Missing Authorization)
- Attack Vector: Network (API)
- CVSS v3.1: 6.5 (Medium)
- Impact: Information Disclosure
- Privileges: Low (Authenticated User)
- User Interaction: None
Affected Systems
- Gitea Self-Hosted Server
-
Gitea: <= 1.25.3 (Fixed in:
1.25.4)
Code Analysis
Commit: 67e75f3
Fix notification API permission check
- result.Repository = ToRepo(ctx, n.Repository, access_model.Permission{AccessMode: perm.AccessModeRead})
+ perm, err := access_model.GetUserRepoPermission(ctx, n.Repository, n.User)
+ if perm.HasAnyUnitAccessOrPublicAccess() { result.Repository = ToRepo(ctx, n.Repository, perm) }
Mitigation Strategies
- Upgrade Gitea software
- Implement rigorous offboarding checks
- Audit API logs for anomaly detection
Remediation Steps:
- Stop the Gitea service.
- Download the binary for version 1.25.4 or later.
- Replace the old binary.
- Restart the Gitea service.
- Verify the version in the footer or API.
References
Read the full report for CVE-2026-20800 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)