DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-20883: The Zombie Stopwatch: Haunting Gitea with Revoked Access

#security #cve #cybersecurity

The Zombie Stopwatch: Haunting Gitea with Revoked Access

Vulnerability ID: CVE-2026-20883
CVSS Score: 6.5
Published: 2026-01-23

A logic flaw in Gitea's stopwatch feature created a persistence vulnerability where users maintained visibility into private issue metadata after access revocation. By failing to re-validate permissions during API object serialization, the system allowed 'zombie' stopwatch records to leak sensitive titles and repository names.

TL;DR

Gitea forgot to check if you still work there before showing you your timesheets. If a user started a stopwatch on a private issue and then lost access to the repository, the API would still happily serve up the issue title and repo name in the stopwatch list. It's a classic Broken Access Control (CWE-284) fixed in version 1.25.4.

Technical Details

  • CVE ID: CVE-2026-20883
  • CWE: CWE-284 (Improper Access Control)
  • CVSS Score: 6.5 (Medium)
  • Attack Vector: Network (API)
  • Fix Version: 1.25.4
  • Impact: Information Disclosure

Affected Systems

  • Gitea self-hosted instances
  • Gitea Docker containers
  • Gitea: <= 1.25.3 (Fixed in: 1.25.4)

Code Analysis

Commit: 95ea2df

Fix stopwatch permission check and cleanup logic

func ToStopWatches(ctx, stopwatches, doer) {
+ perm, err = access_model.GetUserRepoPermission(ctx, repo, doer)
+ if !perm.CanReadIssuesOrPulls(issue.IsPull) { continue }
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • Theory: Exploitation involves standard API calls to /user/stopwatches after permission revocation.

Mitigation Strategies

  • Upgrade to Gitea 1.25.4 or later immediately.
  • Implement a regular audit of the 'stopwatch' table to detect orphaned records.
  • Force-stop all active stopwatches during user offboarding processes manually if patching is delayed.

Remediation Steps:

  1. Backup your Gitea configuration and database.
  2. Download the 1.25.4 binary or pull the latest Docker image.
  3. Restart the Gitea service.
  4. Verify the fix by attempting to view stopwatches for a user with revoked access.

References

Read the full report for CVE-2026-20883 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)