{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-20883", "assignerOrgId": "88ee5874-cf24-4952-aea0-31affedb7ff2", "state": "PUBLISHED", "assignerShortName": "Gitea", "dateReserved": "2026-01-08T23:02:37.553Z", "datePublished": "2026-01-22T22:01:50.840Z", "dateUpdated": "2026-01-23T21:54:21.705Z"}, "containers": {"cna": {"affected": [{"vendor": "Gitea", "product": "Gitea Open Source Git Server", "versions": [{"version": "0", "lessThanOrEqual": "1.25.3", "status": "affected", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Gitea's stopwatch API does not re-validate repository access permissions. After a user's access to a private repository is revoked, they may still view issue titles and repository names through previously started stopwatches."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-284", "description": "CWE-284: Improper Access Control", "lang": "en", "type": "CWE"}]}], "references": [{"url": "https://github.com/go-gitea/gitea/security/advisories/GHSA-644v-xv3j-xgqg", "name": "GitHub Security Advisory", "tags": ["vendor-advisory"]}, {"url": "https://github.com/go-gitea/gitea/pull/36340", "name": "GitHub Pull Request #36340", "tags": ["patch"]}, {"url": "https://github.com/go-gitea/gitea/pull/36368", "name": "GitHub Pull Request #36368", "tags": ["patch"]}, {"url": "https://github.com/go-gitea/gitea/releases/tag/v1.25.4", "name": "Gitea v1.25.4 Release", "tags": ["release-notes"]}, {"url": "https://blog.gitea.com/release-of-1.25.4/", "name": "Gitea v1.25.4 Release Blog Post", "tags": ["release-notes"]}], "credits": [{"lang": "en", "value": "spingARbor", "type": "reporter"}], "title": "Gitea Stopwatch API Missing Authorization Check Leads to Post-Revocation Information Disclosure", "providerMetadata": {"orgId": "88ee5874-cf24-4952-aea0-31affedb7ff2", "shortName": "Gitea", "dateUpdated": "2026-01-22T22:01:50.840Z"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-01-23T21:11:00.973092Z", "id": "CVE-2026-20883", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-23T21:54:21.705Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-20883", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-23T21:11:00.973092Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-23T21:10:57.579Z"}}], "cna": {"title": "Gitea Stopwatch API Missing Authorization Check Leads to Post-Revocation Information Disclosure", "credits": [{"lang": "en", "type": "reporter", "value": "spingARbor"}], "affected": [{"vendor": "Gitea", "product": "Gitea Open Source Git Server", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.25.3"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/go-gitea/gitea/security/advisories/GHSA-644v-xv3j-xgqg", "name": "GitHub Security Advisory", "tags": ["vendor-advisory"]}, {"url": "https://github.com/go-gitea/gitea/pull/36340", "name": "GitHub Pull Request #36340", "tags": ["patch"]}, {"url": "https://github.com/go-gitea/gitea/pull/36368", "name": "GitHub Pull Request #36368", "tags": ["patch"]}, {"url": "https://github.com/go-gitea/gitea/releases/tag/v1.25.4", "name": "Gitea v1.25.4 Release", "tags": ["release-notes"]}, {"url": "https://blog.gitea.com/release-of-1.25.4/", "name": "Gitea v1.25.4 Release Blog Post", "tags": ["release-notes"]}], "descriptions": [{"lang": "en", "value": "Gitea's stopwatch API does not re-validate repository access permissions. After a user's access to a private repository is revoked, they may still view issue titles and repository names through previously started stopwatches."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284: Improper Access Control"}]}], "providerMetadata": {"orgId": "88ee5874-cf24-4952-aea0-31affedb7ff2", "shortName": "Gitea", "dateUpdated": "2026-01-22T22:01:50.840Z"}}}, "cveMetadata": {"cveId": "CVE-2026-20883", "state": "PUBLISHED", "dateUpdated": "2026-01-23T21:54:21.705Z", "dateReserved": "2026-01-08T23:02:37.553Z", "assignerOrgId": "88ee5874-cf24-4952-aea0-31affedb7ff2", "datePublished": "2026-01-22T22:01:50.840Z", "assignerShortName": "Gitea"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Gitea's stopwatch API does not re-validate repository access permissions. After a user's access to a private repository is revoked, they may still view issue titles and repository names through previously started stopwatches."}], "id": "CVE-2026-20883", "lastModified": "2026-01-26T15:04:14.850", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-01-22T22:16:17.713", "references": [{"source": "88ee5874-cf24-4952-aea0-31affedb7ff2", "url": "https://blog.gitea.com/release-of-1.25.4/"}, {"source": "88ee5874-cf24-4952-aea0-31affedb7ff2", "url": "https://github.com/go-gitea/gitea/pull/36340"}, {"source": "88ee5874-cf24-4952-aea0-31affedb7ff2", "url": "https://github.com/go-gitea/gitea/pull/36368"}, {"source": "88ee5874-cf24-4952-aea0-31affedb7ff2", "url": "https://github.com/go-gitea/gitea/releases/tag/v1.25.4"}, {"source": "88ee5874-cf24-4952-aea0-31affedb7ff2", "url": "https://github.com/go-gitea/gitea/security/advisories/GHSA-644v-xv3j-xgqg"}], "sourceIdentifier": "88ee5874-cf24-4952-aea0-31affedb7ff2", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}], "source": "88ee5874-cf24-4952-aea0-31affedb7ff2", "type": "Secondary"}]}

{"bugzilla": {"description": "gitea: Gitea Stopwatch API Missing Authorization Check Leads to Post-Revocation Information Disclosure", "id": "2432214", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2432214"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "status": "draft"}, "cwe": "CWE-284", "details": ["Gitea's stopwatch API does not re-validate repository access permissions. After a user's access to a private repository is revoked, they may still view issue titles and repository names through previously started stopwatches."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-20883", "package_state": [{"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Not affected", "package_name": "openshift-pipelines/pipelines-opc-rhel9", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Not affected", "package_name": "openshift-pipelines/pipelines-pipelines-as-code-cli-rhel8", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Not affected", "package_name": "openshift-pipelines/pipelines-pipelines-as-code-cli-rhel9", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Not affected", "package_name": "openshift-pipelines/pipelines-pipelines-as-code-controller-rhel8", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Not affected", "package_name": "openshift-pipelines/pipelines-pipelines-as-code-controller-rhel9", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Not affected", "package_name": "openshift-pipelines/pipelines-pipelines-as-code-watcher-rhel8", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Not affected", "package_name": "openshift-pipelines/pipelines-pipelines-as-code-watcher-rhel9", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Not affected", "package_name": "openshift-pipelines/pipelines-pipelines-as-code-webhook-rhel8", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Not affected", "package_name": "openshift-pipelines/pipelines-pipelines-as-code-webhook-rhel9", "product_name": "OpenShift Pipelines"}], "public_date": "2026-01-22T22:01:50Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-20883\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-20883\nhttps://blog.gitea.com/release-of-1.25.4/\nhttps://github.com/go-gitea/gitea/pull/36340\nhttps://github.com/go-gitea/gitea/pull/36368\nhttps://github.com/go-gitea/gitea/releases/tag/v1.25.4\nhttps://github.com/go-gitea/gitea/security/advisories/GHSA-644v-xv3j-xgqg"], "threat_severity": "Moderate"}

{"created": "2026-01-23T10:27:08.476611+00:00", "updated": "2026-01-23T10:27:08.476639+00:00", "vendors": ["gitea", "gitea$PRODUCT$gitea"]}