Inadequate Attachment Deletion Verification in Gitea by Gitea
CVE-2026-20736

7.5HIGH

Key Information:

Vendor

Gitea

Vendor
CVE Published:
22 January 2026

What is CVE-2026-20736?

Gitea has a security vulnerability that allows users to delete attachments from repositories without proper authorization. This issue arises when a user who has previously uploaded an attachment to a repository is able to delete it even after losing access, by making the deletion request through a different repository that they still have access to. This flaw can lead to unauthorized data manipulation and poses a risk to the integrity of repository content. It is critical for users to ensure that they are using the latest version of Gitea to mitigate this issue.

Affected Version(s)

Gitea Open Source Git Server 0 <= 1.25.3

References

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

spingARbor
.