CVE-2026-24451 Overview
CVE-2026-24451 is an information disclosure vulnerability in Gitea version 1.26.2. The flaw allows fork synchronization to continue after a parent repository transitions from public to private. Forks that were created while the repository was public retain the ability to pull new commits, exposing code and metadata that should no longer be accessible. The issue is tracked under CWE-200: Exposure of Sensitive Information to an Unauthorized Actor and is addressed in Gitea 1.26.3 and 1.26.4.
Critical Impact
Fork owners can continue receiving upstream changes from a repository after it is made private, causing unauthorized disclosure of source code and commit history.
Affected Products
- Gitea 1.26.2
- Self-hosted Gitea deployments with public-to-private repository transitions
- Downstream forks created before repository visibility was restricted
Discovery Timeline
- 2026-07-03 - CVE-2026-24451 published to NVD
- 2026-07-07 - Last updated in NVD database
Technical Details for CVE-2026-24451
Vulnerability Analysis
Gitea supports fork synchronization, which mirrors commits from a parent repository into child forks. In version 1.26.2, the synchronization workflow does not revalidate the visibility of the parent repository at sync time. When an administrator or repository owner changes the parent from public to private, existing forks continue to receive new commits.
This behavior breaks the authorization model. A user who forked the repository while it was public may retain read access to future commits, even after they lose entitlement to the source project. The exposure affects source code, commit messages, and any secrets or configuration inadvertently pushed to the private repository.
Root Cause
The root cause is a missing authorization check in the fork sync path. The sync routine trusts the historical fork relationship and does not re-evaluate whether the parent repository is still accessible under its current visibility. The upstream fix in pull request #38151 tightens this check.
Attack Vector
The attack does not require active exploitation code. A user who previously forked a public repository triggers a fork sync operation, or waits for scheduled sync, and receives commits from the now-private parent. The vector is network-based and requires no authentication beyond the fork owner's existing account, as documented in the GitHub Security Advisory GHSA-wrf9-r3h7-7x5v.
No verified proof-of-concept code has been published. Refer to the security advisory for technical details.
Detection Methods for CVE-2026-24451
Indicators of Compromise
- Fork sync operations against repositories whose visibility recently changed from public to private
- Unexpected git fetch or Gitea API pull activity from fork owners who are not collaborators on the private parent
- Audit log entries showing repository visibility transitions followed by fork sync events
Detection Strategies
- Review Gitea audit logs for repo.visibility.change events and correlate with subsequent fork sync activity
- Inspect the fork and mirror tables in the Gitea database for forks whose parent repositories are now private
- Monitor HTTP access logs on the Gitea instance for pull requests targeting fork sync endpoints from external accounts
Monitoring Recommendations
- Alert on any repository transitioning from public to private, then enumerate existing forks and their owners
- Track fork sync API calls in web server logs and flag those referencing repositories with restricted visibility
- Baseline normal fork sync volume per repository and alert on anomalies after visibility changes
How to Mitigate CVE-2026-24451
Immediate Actions Required
- Upgrade Gitea to version 1.26.3 or 1.26.4 as documented in the Gitea 1.26.3 and 1.26.4 release announcement
- Identify repositories that transitioned from public to private on the affected version and audit their forks
- Consider removing or converting forks owned by users who should no longer have access to the parent repository
Patch Information
The fix is included in Gitea 1.26.3, published as release v1.26.3 on GitHub. The patch enforces visibility checks during fork synchronization so private parent repositories no longer propagate changes to unauthorized forks.
Workarounds
- Delete forks of any repository before changing its visibility from public to private
- Disable fork synchronization on affected repositories until the instance is upgraded
- Rotate any secrets or credentials that may have been exposed to fork owners after a visibility change
# Verify installed Gitea version and upgrade path
gitea --version
# Expected after patch: Gitea version 1.26.3 or 1.26.4
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

