Gitea Attachment Smuggling: The Private-to-Public Pipeline
Vulnerability ID: CVE-2026-20912
CVSS Score: 9.1
Published: 2026-01-23
A critical logic flaw in Gitea's attachment handling allows authenticated users to link files from private repositories to public releases, effectively bypassing access controls and exposing sensitive data to the internet.
TL;DR
Gitea failed to verify that an attachment belongs to the repository where it is being linked. An attacker with access to a private repository can take the UUID of a sensitive attachment and 'adopt' it into a public release or issue in a different repository. This exposes private files (binaries, configs, datasets) to the public internet. Fixed in version 1.25.4.
Technical Details
- CWE ID: CWE-639
- Attack Vector: Network
- CVSS Score: 9.1 (Critical)
- EPSS Score: 0.00017
- Impact: High Confidentiality Loss
- Exploit Status: No Public PoC
Affected Systems
- Gitea Server
-
Gitea: <= 1.25.3 (Fixed in:
1.25.4)
Code Analysis
Commit: fbea2c6
Fix delete attachment check and ensure RepoID matches context
if attach.RepoID != ctx.Repo.Repository.ID {
ctx.HTTPError(http.StatusBadRequest, "attachment does not belong to this repository")
return
}
Exploit Details
- N/A: No public automated exploit script available at this time.
Mitigation Strategies
- Strict input validation on object ownership
- Context-aware authorization checks
- Regular database integrity audits for orphaned or cross-linked records
Remediation Steps:
- Upgrade Gitea to version 1.25.4 or later immediately.
- Run SQL audits to detect existing cross-linked attachments in the database.
- Review logs for 400 Bad Request errors on attachment endpoints (post-patch) to identify attempted exploitation.
References
Read the full report for CVE-2026-20912 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)