CVE-2026-0798 Overview
CVE-2026-0798 is an information disclosure vulnerability in Gitea, a self-hosted Git service. The vulnerability occurs when a repository is changed from public to private, allowing users who previously watched the repository to continue receiving release notifications even after their access has been revoked. This can result in the disclosure of sensitive information including release titles, tags, and content to unauthorized users.
Critical Impact
Unauthorized users may receive release notifications for private repositories, potentially exposing confidential release information, software versions, and proprietary content to individuals who should no longer have access.
Affected Products
- Gitea versions prior to 1.25.4
Discovery Timeline
- 2026-01-22 - CVE CVE-2026-0798 published to NVD
- 2026-01-22 - Last updated in NVD database
Technical Details for CVE-2026-0798
Vulnerability Analysis
This vulnerability is classified under CWE-284 (Improper Access Control). The issue stems from Gitea's notification system failing to properly validate current user permissions when distributing release notifications. When a repository transitions from public to private visibility, the system does not re-evaluate or purge the watch list of users who no longer have legitimate access to the repository.
The flaw exists in the release notification workflow where the application checks if a user is watching a repository but does not verify whether that user still has valid read permissions at the time the notification is sent. This creates a window where former collaborators, users whose access was explicitly revoked, or users who watched the repository while it was public can continue to receive email notifications about new releases.
Root Cause
The root cause is an improper access control check in the notification dispatch mechanism. When Gitea generates release notifications, it iterates through users who have subscribed to watch the repository without performing a secondary authorization check to confirm the user's current access level. The watch relationship persists independently of the access control changes made to the repository, creating a disconnect between who should receive notifications and who actually receives them.
Attack Vector
An attacker who previously had access to a public repository (either through watching it or having explicit access) could passively receive release notifications even after the repository becomes private or their access is revoked. This requires no active exploitation—the attacker simply needs to have watched the repository at some point when they had legitimate access.
The disclosed information through notifications may include:
- Release titles that could reveal product roadmaps or feature names
- Version tags that expose internal versioning schemes
- Release notes and content that may contain sensitive technical details or security fixes
Detection Methods for CVE-2026-0798
Indicators of Compromise
- Review email server logs for release notification emails sent to users who are not current members of private repositories
- Audit user watch lists for private repositories to identify users without current read access
- Monitor for complaints from users receiving notifications for repositories they should not have access to
Detection Strategies
- Implement logging to track release notification distribution and compare against current repository access lists
- Create periodic audits that cross-reference repository watchers with current permission sets
- Monitor for unusual patterns of notification delivery to external or former user accounts
Monitoring Recommendations
- Enable detailed logging for the Gitea notification subsystem
- Set up alerts for repository visibility changes from public to private
- Regularly audit watcher lists following any access control modifications to repositories
How to Mitigate CVE-2026-0798
Immediate Actions Required
- Upgrade Gitea to version 1.25.4 or later immediately
- Review all repositories that have been changed from public to private and audit their watcher lists
- Consider manually removing watchers who no longer have repository access
Patch Information
Gitea has released version 1.25.4 which addresses this vulnerability. The fix ensures that release notifications are only sent to users who have current, valid read access to the repository at the time the notification is generated.
For detailed patch information, see the Gitea Release Announcement and the GitHub Pull Request Discussion.
Additional resources:
Workarounds
- Manually clear all watchers when changing a repository from public to private
- Disable email notifications for release events on sensitive private repositories until the patch can be applied
- Implement network-level controls to restrict email delivery to approved domains only
- Review and clean up watcher lists on all private repositories as a precautionary measure
# Configuration example
# After upgrading to Gitea 1.25.4, verify the version
gitea --version
# Review repository watchers via Gitea admin CLI (if available)
# Navigate to Repository Settings > Collaborators to audit access
# Consider disabling release notifications temporarily:
# In app.ini, under [mailer] section
# ENABLED = false # Temporary workaround - disables all email
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
