Primary

Context

Gitea Notification API Repository Access Vulnerability

Vulnerability

Patched

A vulnerability exists in Gitea's notification API, specifically in versions through 1.25.4. The issue arises because the API fails to re-validate repository access permissions when delivering notification details. As a result, users who have had their access to a private repository revoked can still see issue and pull request titles through notifications received prior to the access removal.

Impact

Exploitation of this vulnerability allows for unauthorized access to private repository information, specifically issue and pull request titles, after access has been revoked.

Remediation

Users can upgrade to Gitea version 1.26.0 or later, where this issue has been addressed.

Added: Jan 22, 2026, 10:23 PM

Updated: Jan 22, 2026, 10:23 PM

Vulnerability Rating

Custom Algorithm

spread

7.6

impact

0.6

exploitability

5.0

remediation

7.7

relevance

2.3

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

7.6

impact

0.6

exploitability

5.0

remediation

7.7

relevance

2.3

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Gitea Notification API Repository Access Vulnerability

Vulnerability

Impact

Remediation

Affected Products

Gitea

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating