Primary

Context

Gitea Release Notification Email Vulnerability for Private Repositories

Vulnerability

Patched

A vulnerability in Gitea allows release notification emails for private repositories to be sent to users whose access has been revoked. When a repository is switched from public to private, users who previously watched the repository may still receive release notifications. This can lead to the unintentional disclosure of release titles, tags, and content.

Impact

This vulnerability can result in unauthorized disclosure of release information from private repositories.

Reproduction

To reproduce this vulnerability, watch a public repository and then have it changed to private. After access has been revoked, release notification emails may still be sent, containing details that should remain confidential.

Remediation

Users can manually check and update their repository access permissions. Gitea Cloud instances will be automatically upgraded to version 1.26.0, which addresses this vulnerability.

Added: Jan 22, 2026, 10:27 PM

Updated: Jan 22, 2026, 10:27 PM

Vulnerability Rating

Custom Algorithm

spread

7.6

impact

0.6

exploitability

6.5

remediation

7.7

relevance

2.3

threat

1.6

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

7.6

impact

0.6

exploitability

6.5

remediation

7.7

relevance

2.3

threat

1.6

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Gitea Release Notification Email Vulnerability for Private Repositories

Vulnerability

Impact

Reproduction

Remediation

Affected Products

Gitea

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating