Product Overview
Product: Gitea
Category: Self-hosted Git repository management platform
Typical Users: Enterprises, DevOps teams, open-source maintainers
Core Risk Area: Authorization and access-control enforcement
Gitea is widely deployed in internal and internet-facing environments. Because it manages source code, CI/CD triggers, secrets, and automation hooks, authorization flaws can quickly escalate into supply-chain compromise or full infrastructure takeover.
Vulnerability Summary Table
| CVE Name | CVE ID | CVSS v3.1 | Severity | Exploitability | Exploit Availability |
|---|---|---|---|---|---|
| Authorization Bypass – Cross-Repository Destructive Actions | CVE-2026-20897 | 9.1 | Critical | High | No public PoC (trivial to weaponize) |
| Project Ownership Bypass – Organization-Wide Compromise | CVE-2026-20750 | 9.6 | Critical | Very High | Private PoC reported |
CVE-2026-20897 – Authorization Bypass (Cross-Repository Destructive Actions)
What Went Wrong
This vulnerability exists because Gitea trusted repository identifiers supplied by the user without fully re-checking ownership or permissions at critical API endpoints.
As a result, a user with valid access to one repository could perform destructive actions on other repositories they do not own.
How This Can Be Exploited
An attacker only needs:
- A valid Gitea user account
- Write access to any repository (even their own test repo)
Exploitation Flow
- Attacker identifies a target repository inside the same Gitea instance
- They intercept or manually craft API requests
- They replace the
repo_idor repository path with a victim repository - The backend processes the request without re-verifying authorization
Impacted Actions
- Repository deletion
- Wiki deletion
- Issue and pull request removal
- Webhook removal
- Git LFS object deletion
This makes the vulnerability destructive by default, even without code execution.
Business Impact
- Loss of intellectual property
- CI/CD pipeline disruption
- Irreversible data loss (if backups are missing)
- Trust erosion in internal development platforms
MITRE ATT&CK Mapping
- T1068 – Exploitation for Privilege Escalation
- T1565.001 – Data Manipulation: Stored Data
- T1485 – Data Destruction
Detection & Monitoring
Indicators of Compromise
- Destructive actions performed by unexpected users
- Repository deletion events without UI access
- API calls affecting repositories outside a user’s normal scope
Detection Logic
IF user_id performs DELETE or POST destructive action
AND repository_owner != user_id
AND no admin role is present
THEN alert
Relevant Log Sources
- Gitea audit logs
- HTTP access logs
- Reverse proxy logs (NGINX / Traefik)
- Database audit logs (if enabled)
Payload / Request Pattern
- REST API calls where:
repo_idorowner/repois manually modified- Auth token belongs to a different repository owner
- Often performed via
curl, Postman, or browser dev tools
Patch & Remediation
Official Fix:
Apply the latest Gitea security patch that enforces authorization checks on every destructive repository operation, regardless of API or UI origin.
Official Patch Link: https://github.com/go-gitea/gitea/releases
Additional Hardening
- Enable audit logging
- Restrict API token scopes
- Enforce least-privilege repository access
- Regular offline backups
CVE-2026-20750 – Project Ownership Bypass (Organization-Wide Compromise)
What Went Wrong
This issue stems from improper validation of project ownership during organization-level operations.
Gitea allowed certain users to escalate from project contributor to project owner, which then cascaded into organization-level privileges.
How This Can Be Exploited
Required Access
- Any user account inside an organization
- Basic project membership (non-admin)
Exploitation Flow
- Attacker targets an organization project
- Sends a crafted request to project-management endpoints
- Backend incorrectly trusts project-role updates
- Attacker becomes project owner
- Ownership privileges extend to:
- Repository control
- Webhooks
- Secrets
- CI/CD triggers
From here, compromise spreads rapidly.
Why This Is Extremely Dangerous
Once project ownership is gained:
- CI pipelines can be modified
- Malicious code can be injected
- Secrets can be exfiltrated
- Downstream builds become infected
This is a supply-chain attack enabler.
MITRE ATT&CK Mapping
- T1098 – Account Manipulation
- T1078 – Valid Accounts
- T1195 – Supply Chain Compromise
Detection & Monitoring
High-Risk Events to Monitor
- Sudden role changes
- New project owners without admin approval
- Organization setting changes by non-admins
Detection Rule Example
IF project_role changes to OWNER
AND actor_role NOT IN [OrgAdmin]
THEN critical alert
Log Sources to Enable
- Organization audit logs
- Project membership change logs
- Authentication and session logs
- CI/CD execution logs
Proof-of-Concept Status
- No public PoC released
- Private exploitation confirmed during security research
- Exploit requires no race conditions or timing abuse
Patch & Remediation
Official Fix:
Upgrade to the patched Gitea release that adds strict server-side role validation and blocks unauthorized ownership transitions.
Official Patch Link: https://github.com/go-gitea/gitea/releases
Defensive Measures
- Review organization membership weekly
- Disable self-service role changes
- Lock CI secrets behind admin approval
- Monitor webhook creation events
Final Takeaway
Both vulnerabilities represent high-confidence, low-complexity attack paths that can:
- Destroy repositories
- Compromise CI/CD pipelines
- Enable full organization takeover
If Gitea is exposed to the internet or used internally without strict monitoring, immediate patching is strongly advised.
