DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-20904: Gitea OpenID Visibility Toggle IDOR: The "Trust Me, Bro" Update Query

#security #cve #cybersecurity

Gitea OpenID Visibility Toggle IDOR: The "Trust Me, Bro" Update Query

Vulnerability ID: CVE-2026-20904
CVSS Score: 6.5
Published: 2026-01-23

A classic Insecure Direct Object Reference (IDOR) vulnerability in Gitea versions prior to 1.25.4 allowed authenticated users to toggle the visibility of OpenID credentials belonging to any other user. The flaw stemmed from a database update query that checked the record ID but failed to verify the record owner.

TL;DR

Gitea developers forgot the golden rule of access control: verify ownership. By sending a request to the OpenID visibility toggle endpoint and iterating through IDs, an attacker could hide or show OpenID connections for every user on the instance. The fix involved adding a simple AND uid = ? clause to the SQL query.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-639
  • Attack Vector: Network
  • CVSS v3.1: 6.5
  • Impact: Integrity Loss
  • Privileges Required: Low (Authenticated)
  • Exploit Status: PoC Available

Affected Systems

  • Gitea < 1.25.4
  • Gitea: <= 1.25.3 (Fixed in: 1.25.4)

Code Analysis

Commit: ed5720a

Fix toggle user openid visibility

func ToggleUserOpenIDVisibility(ctx context.Context, id int64, user *User) error {
- _, err = db.GetEngine(ctx).Exec("update `user_open_id` set `show` = not `show` where `id` = ?", id)
+ affected, err := db.GetEngine(ctx).Exec("update `user_open_id` set `show` = not `show` where `id` = ? AND uid = ?", id, user.ID)
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • Hypothetical: Burp Intruder iteration over 'id' parameter on toggle endpoint.

Mitigation Strategies

  • Scope all database UPDATE/DELETE queries to the authenticated user's ID (e.g., WHERE id=? AND user_id=?).
  • Use UUIDs instead of sequential integers for public-facing resource IDs to prevent enumeration.
  • Implement centralized access control checks (middleware) rather than ad-hoc checks in model functions.

Remediation Steps:

  1. Upgrade Gitea to version 1.25.4 or later.
  2. If upgrading is impossible, apply the patch from commit ed5720af2ac94d74f822721c05b42b6148ff9c22 manually.
  3. Restart the Gitea service to apply changes.

References

Read the full report for CVE-2026-20904 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)