Gitea: Broken access control in OpenID visibility toggle enables cross-user...

6.5 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Description

Gitea does not properly validate ownership when toggling OpenID URI visibility. An authenticated user may be able to change the visibility settings of other users' OpenID identities.

Basic Information

ID CVE-2026-20904

Source Gitea

Published Jan 22, 2026 at 22:01

Modified Jan 23, 2026 at 21:53

Affected Product

Vendor Gitea

Product Gitea Open Source Git Server

Affected Versions Gitea Gitea Open Source Git Server 0

CWE Classification

CWE-284 CWE-639

References

{
    "lastseen": "",
    "description": "Gitea does not properly validate ownership when toggling OpenID URI visibility. An authenticated user may be able to change the visibility settings of other users' OpenID identities.",
    "published": "2026-01-22T22:01:51.762Z",
    "modified": "2026-01-23T21:53:53.397Z",
    "type": "cve",
    "title": "Gitea: Broken access control in OpenID visibility toggle enables cross-user visibility changes",
    "source": "Gitea",
    "references": "https://github.com/go-gitea/gitea/security/advisories/GHSA-jrpc-w85r-hgqx\nhttps://github.com/go-gitea/gitea/pull/36346\nhttps://github.com/go-gitea/gitea/pull/36361\nhttps://github.com/go-gitea/gitea/releases/tag/v1.25.4\nhttps://blog.gitea.com/release-of-1.25.4/",
    "id": "CVE-2026-20904",
    "bulletinFamily": "",
    "cwe": [
        "CWE-284",
        "CWE-639"
    ],
    "cvelist": null,
    "sourceData": "Gitea Gitea Open Source Git Server 0",
    "sourceHref": "",
    "cvss": {
        "score": 6.5,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Gitea Open Source Git Server",
    "version": "0",
    "vendor": "Gitea",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Gitea: Broken access control in OpenID visibility toggle enables cross-user visibility changes_CVE-2026-20904