CVE-2026-20904

MEDIUM

Gitea - Privilege Escalation

Title source: llm

Description

Gitea does not properly validate ownership when toggling OpenID URI visibility. An authenticated user may be able to change the visibility settings of other users' OpenID identities.

References (5)

[Broken Link] https://github.com/go-gitea/gitea/security/advisories/GHSA-jrpc-w85r-hgqx

[Issue Tracking, Patch] https://github.com/go-gitea/gitea/pull/36346

[Issue Tracking, Patch] https://github.com/go-gitea/gitea/pull/36361

[Release Notes] https://github.com/go-gitea/gitea/releases/tag/v1.25.4

[Release Notes] https://blog.gitea.com/release-of-1.25.4/

Scores

CVSS v3 6.5

EPSS 0.0001

EPSS Percentile 2.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-284 CWE-639

Status published

Products (2)

gitea/gitea < 1.25.4

go-gitea/gitea 0 - 1.25.4Go

Published Jan 22, 2026

Tracked Since Feb 18, 2026