DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-20897: Unlock Everything: The Gitea LFS IDOR (CVE-2026-20897)

#security #cve #cybersecurity

Unlock Everything: The Gitea LFS IDOR (CVE-2026-20897)

Vulnerability ID: CVE-2026-20897
CVSS Score: 9.1
Published: 2026-01-23

A critical Insecure Direct Object Reference (IDOR) in Gitea's Git LFS implementation allows authenticated users to delete file locks across any repository on the instance.

TL;DR

Gitea failed to scope Git LFS lock lookups to the specific repository requesting the deletion. By sending a request to a repository they control, an attacker can supply the Lock ID of a victim's repository. Gitea would verify permissions on the attacker's repo, but fetch and delete the victim's lock from the global database table. This allows for massive workflow disruption and potential binary file corruption.

⚠️ Exploit Status: POC

Technical Details

  • CWE: CWE-639 (Authorization Bypass Through User-Controlled Key)
  • CVSS: 9.1 (Critical)
  • Attack Vector: Network (Authenticated)
  • Impact: Integrity / Availability
  • Exploit Status: PoC Available (Theoretical)
  • EPSS Score: 0.00017

Affected Systems

  • Gitea Server < 1.25.4
  • Gitea: <= 1.25.3 (Fixed in: 1.25.4)

Code Analysis

Commit: da036f3

Fix LFS lock IDOR by scoping lookup to repository ID

- func GetLFSLockByID(ctx context.Context, id int64) (*LFSLock, error) {
+ func GetLFSLockByIDAndRepo(ctx context.Context, id, repoID int64) (*LFSLock, error) {
- has, err := db.GetEngine(ctx).ID(id).Get(lock)
+ has, err := db.GetEngine(ctx).ID(id).And("repo_id = ?", repoID).Get(lock)
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • Internal Research: The logic flaw is evident in the source code prior to version 1.25.4. No public exploit script is required to reproduce; standard curl commands suffice.

Mitigation Strategies

  • Upgrade Gitea to version 1.25.4 or later.
  • Disable Git LFS globally via app.ini if patching is not possible.
  • Monitor logs for 404s or 204s on LFS endpoints originating from unexpected users.

Remediation Steps:

  1. Backup your Gitea configuration and database.
  2. Pull the latest docker image: docker pull gitea/gitea:1.25.4
  3. Restart the Gitea container.
  4. Verify the version number in the site footer.

References

Read the full report for CVE-2026-20897 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)