Primary

Context

Gitea Stopwatch API Repository Access Vulnerability

Vulnerability

Patched

A vulnerability exists in Gitea's stopwatch API, where repository access permissions are not properly re-validated. This issue allows users to view issue titles and repository names from private repositories even after their access has been revoked, through previously started stopwatches.

Impact

Exploitation of this vulnerability could lead to unauthorized visibility of private repository details, such as issue titles and repository names.

Reproduction

To reproduce this vulnerability, first access a private repository and start a stopwatch. Afterward, revoke the access to the repository. Despite the access being revoked, the issue titles and repository names can still be viewed through the stopwatch API, indicating that the access permissions were not properly updated.

Remediation

Users can upgrade to Gitea version 1.25.4, where this vulnerability has been addressed.

Added: Jan 22, 2026, 10:22 PM

Updated: Jan 22, 2026, 10:22 PM

Vulnerability Rating

Custom Algorithm

spread

7.6

impact

0.6

exploitability

5.3

remediation

7.7

relevance

2.3

threat

1.6

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

7.6

impact

0.6

exploitability

5.3

remediation

7.7

relevance

2.3

threat

1.6

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Gitea Stopwatch API Repository Access Vulnerability

Vulnerability

Impact

Reproduction

Remediation

Affected Products

Gitea

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating