{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-20904", "assignerOrgId": "88ee5874-cf24-4952-aea0-31affedb7ff2", "state": "PUBLISHED", "assignerShortName": "Gitea", "dateReserved": "2026-01-08T23:02:37.537Z", "datePublished": "2026-01-22T22:01:51.762Z", "dateUpdated": "2026-01-23T21:53:53.397Z"}, "containers": {"cna": {"affected": [{"vendor": "Gitea", "product": "Gitea Open Source Git Server", "versions": [{"version": "0", "lessThanOrEqual": "1.25.3", "status": "affected", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Gitea does not properly validate ownership when toggling OpenID URI visibility. An authenticated user may be able to change the visibility settings of other users' OpenID identities."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-284", "description": "CWE-284: Improper Access Control", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-639", "description": "CWE-639: Authorization Bypass Through User-Controlled Key", "lang": "en", "type": "CWE"}]}], "references": [{"url": "https://github.com/go-gitea/gitea/security/advisories/GHSA-jrpc-w85r-hgqx", "name": "GitHub Security Advisory", "tags": ["vendor-advisory"]}, {"url": "https://github.com/go-gitea/gitea/pull/36346", "name": "GitHub Pull Request #36346", "tags": ["patch"]}, {"url": "https://github.com/go-gitea/gitea/pull/36361", "name": "GitHub Pull Request #36361", "tags": ["patch"]}, {"url": "https://github.com/go-gitea/gitea/releases/tag/v1.25.4", "name": "Gitea v1.25.4 Release", "tags": ["release-notes"]}, {"url": "https://blog.gitea.com/release-of-1.25.4/", "name": "Gitea v1.25.4 Release Blog Post", "tags": ["release-notes"]}], "credits": [{"lang": "en", "value": "spingARbor", "type": "reporter"}], "title": "Gitea: Broken access control in OpenID visibility toggle enables cross-user visibility changes", "providerMetadata": {"orgId": "88ee5874-cf24-4952-aea0-31affedb7ff2", "shortName": "Gitea", "dateUpdated": "2026-01-22T22:01:51.762Z"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-01-23T17:52:05.088654Z", "id": "CVE-2026-20904", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-23T21:53:53.397Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"title": "Gitea: Broken access control in OpenID visibility toggle enables cross-user visibility changes", "credits": [{"lang": "en", "type": "reporter", "value": "spingARbor"}], "affected": [{"vendor": "Gitea", "product": "Gitea Open Source Git Server", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.25.3"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/go-gitea/gitea/security/advisories/GHSA-jrpc-w85r-hgqx", "name": "GitHub Security Advisory", "tags": ["vendor-advisory"]}, {"url": "https://github.com/go-gitea/gitea/pull/36346", "name": "GitHub Pull Request #36346", "tags": ["patch"]}, {"url": "https://github.com/go-gitea/gitea/pull/36361", "name": "GitHub Pull Request #36361", "tags": ["patch"]}, {"url": "https://github.com/go-gitea/gitea/releases/tag/v1.25.4", "name": "Gitea v1.25.4 Release", "tags": ["release-notes"]}, {"url": "https://blog.gitea.com/release-of-1.25.4/", "name": "Gitea v1.25.4 Release Blog Post", "tags": ["release-notes"]}], "descriptions": [{"lang": "en", "value": "Gitea does not properly validate ownership when toggling OpenID URI visibility. An authenticated user may be able to change the visibility settings of other users' OpenID identities."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284: Improper Access Control"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639: Authorization Bypass Through User-Controlled Key"}]}], "providerMetadata": {"orgId": "88ee5874-cf24-4952-aea0-31affedb7ff2", "shortName": "Gitea", "dateUpdated": "2026-01-22T22:01:51.762Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-20904", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-23T17:52:05.088654Z"}}}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2026-01-23T17:52:26.545Z"}}]}, "cveMetadata": {"cveId": "CVE-2026-20904", "state": "PUBLISHED", "dateUpdated": "2026-01-22T22:01:51.762Z", "dateReserved": "2026-01-08T23:02:37.537Z", "assignerOrgId": "88ee5874-cf24-4952-aea0-31affedb7ff2", "datePublished": "2026-01-22T22:01:51.762Z", "assignerShortName": "Gitea"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Gitea does not properly validate ownership when toggling OpenID URI visibility. An authenticated user may be able to change the visibility settings of other users' OpenID identities."}], "id": "CVE-2026-20904", "lastModified": "2026-01-26T15:04:14.850", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-01-22T22:16:19.130", "references": [{"source": "88ee5874-cf24-4952-aea0-31affedb7ff2", "url": "https://blog.gitea.com/release-of-1.25.4/"}, {"source": "88ee5874-cf24-4952-aea0-31affedb7ff2", "url": "https://github.com/go-gitea/gitea/pull/36346"}, {"source": "88ee5874-cf24-4952-aea0-31affedb7ff2", "url": "https://github.com/go-gitea/gitea/pull/36361"}, {"source": "88ee5874-cf24-4952-aea0-31affedb7ff2", "url": "https://github.com/go-gitea/gitea/releases/tag/v1.25.4"}, {"source": "88ee5874-cf24-4952-aea0-31affedb7ff2", "url": "https://github.com/go-gitea/gitea/security/advisories/GHSA-jrpc-w85r-hgqx"}], "sourceIdentifier": "88ee5874-cf24-4952-aea0-31affedb7ff2", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}, {"lang": "en", "value": "CWE-639"}], "source": "88ee5874-cf24-4952-aea0-31affedb7ff2", "type": "Secondary"}]}

{"bugzilla": {"description": "gitea: Gitea: Broken access control in OpenID visibility toggle enables cross-user visibility changes", "id": "2432217", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2432217"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "status": "draft"}, "cwe": "(CWE-284|CWE-639)", "details": ["Gitea does not properly validate ownership when toggling OpenID URI visibility. An authenticated user may be able to change the visibility settings of other users' OpenID identities."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-20904", "package_state": [{"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Not affected", "package_name": "openshift-pipelines/pipelines-opc-rhel9", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Not affected", "package_name": "openshift-pipelines/pipelines-pipelines-as-code-cli-rhel8", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Not affected", "package_name": "openshift-pipelines/pipelines-pipelines-as-code-cli-rhel9", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Not affected", "package_name": "openshift-pipelines/pipelines-pipelines-as-code-controller-rhel8", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Not affected", "package_name": "openshift-pipelines/pipelines-pipelines-as-code-controller-rhel9", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Not affected", "package_name": "openshift-pipelines/pipelines-pipelines-as-code-watcher-rhel8", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Not affected", "package_name": "openshift-pipelines/pipelines-pipelines-as-code-watcher-rhel9", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Not affected", "package_name": "openshift-pipelines/pipelines-pipelines-as-code-webhook-rhel8", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Not affected", "package_name": "openshift-pipelines/pipelines-pipelines-as-code-webhook-rhel9", "product_name": "OpenShift Pipelines"}], "public_date": "2026-01-22T22:01:51Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-20904\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-20904\nhttps://blog.gitea.com/release-of-1.25.4/\nhttps://github.com/go-gitea/gitea/pull/36346\nhttps://github.com/go-gitea/gitea/pull/36361\nhttps://github.com/go-gitea/gitea/releases/tag/v1.25.4\nhttps://github.com/go-gitea/gitea/security/advisories/GHSA-jrpc-w85r-hgqx"], "threat_severity": "Moderate"}

{"created": "2026-01-23T10:27:10.485448+00:00", "updated": "2026-01-23T10:27:10.485578+00:00", "vendors": ["gitea", "gitea$PRODUCT$gitea"]}