CVE-2026-20736 Overview
Gitea, a popular self-hosted Git service, contains an improper access control vulnerability in its attachment deletion functionality. The vulnerability exists because Gitea does not properly verify the repository context when processing attachment deletion requests. A user who previously uploaded an attachment to a repository may be able to delete it after losing access to that repository by routing the deletion request through a different repository to which they still have access.
Critical Impact
This vulnerability enables unauthorized deletion of repository attachments by exploiting improper access control checks, potentially allowing former collaborators to tamper with repository data and disrupt project integrity.
Affected Products
- Gitea versions prior to 1.25.4
Discovery Timeline
- 2026-01-22 - CVE-2026-20736 published to NVD
- 2026-01-22 - Last updated in NVD database
Technical Details for CVE-2026-20736
Vulnerability Analysis
This vulnerability is classified under CWE-284 (Improper Access Control), which describes a failure to properly restrict access to resources or functionality. In the context of Gitea, the attachment deletion endpoint does not adequately validate that the requesting user has current access to the specific repository where the attachment resides. Instead, the system appears to check only whether the user has access to any repository through which the request is routed.
The core issue stems from an authorization logic flaw where the deletion operation validates user permissions against the wrong repository context. When a user makes a deletion request, Gitea verifies access to the repository specified in the request path rather than confirming the user's current access rights to the repository that actually owns the attachment.
Root Cause
The root cause is an improper access control implementation in Gitea's attachment handling code. The system fails to enforce proper context validation, allowing cross-repository operations that bypass intended access restrictions. Specifically, the attachment deletion handler does not verify that the authenticated user has current permissions for the repository where the target attachment is stored, only checking permissions for the repository through which the request is made.
Attack Vector
An attacker can exploit this vulnerability through the following scenario:
- User A uploads an attachment to Repository X while they have access
- User A's access to Repository X is revoked (removed as collaborator)
- User A retains access to Repository Y
- User A sends a deletion request for the attachment (originally uploaded to Repository X) through Repository Y's API endpoint
- Gitea validates User A's access to Repository Y but processes the deletion for Repository X's attachment
The vulnerability allows the attacker to delete attachments they previously uploaded even after losing legitimate access to the repository, as long as they can route the request through another accessible repository. This could result in data loss, disruption of repository content, or manipulation of issue and pull request attachments.
Detection Methods for CVE-2026-20736
Indicators of Compromise
- Unexpected deletion of attachments from repositories, particularly those uploaded by users who no longer have access
- Audit logs showing attachment deletion requests routed through repositories different from where the attachments are stored
- User complaints about missing attachments in issues or pull requests
Detection Strategies
- Review Gitea access logs for attachment deletion API calls, particularly examining the repository context versus the actual attachment location
- Monitor for patterns where users are making attachment-related API calls to repositories they don't have explicit access to
- Implement alerting on attachment deletions performed by users who are not current collaborators of the target repository
Monitoring Recommendations
- Enable detailed audit logging in Gitea to track all attachment operations
- Correlate user access changes (collaborator removals) with subsequent attachment deletion events
- Review historical attachment deletion logs for anomalies after upgrading to identify potential past exploitation
How to Mitigate CVE-2026-20736
Immediate Actions Required
- Upgrade Gitea to version 1.25.4 or later immediately
- Review recent attachment deletions in your Gitea instance for suspicious activity
- Audit collaborator access changes and correlate with any unexpected attachment deletions
- Consider temporarily restricting attachment deletion capabilities if immediate patching is not possible
Patch Information
Gitea has addressed this vulnerability in version 1.25.4. The fix implements proper repository context validation during attachment deletion operations, ensuring that the user's current access rights to the attachment's actual repository are verified before processing the deletion.
For detailed information about the fix, refer to the following resources:
- Gitea Release Announcement
- Gitea Pull Request #36320
- Gitea Version 1.25.4 Release Notes
- GitHub Security Advisory GHSA-jr6h-pwwp-c8g6
Workarounds
- Restrict API access to attachment endpoints at the reverse proxy or firewall level until patching is complete
- Limit attachment upload permissions to reduce the attack surface
- Implement additional access logging at the network layer to track suspicious API calls
- Regularly audit and clean up stale user permissions to minimize the window of opportunity for exploitation
# Upgrade Gitea to patched version
# Stop the Gitea service
systemctl stop gitea
# Download and install version 1.25.4 or later
wget https://github.com/go-gitea/gitea/releases/download/v1.25.4/gitea-1.25.4-linux-amd64
chmod +x gitea-1.25.4-linux-amd64
mv gitea-1.25.4-linux-amd64 /usr/local/bin/gitea
# Restart the Gitea service
systemctl start gitea
# Verify the upgrade
gitea --version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
