Vulnerability Description
Gitea does not properly validate ownership when toggling OpenID URI visibility. An authenticated user may be able to change the visibility settings of other users' OpenID identities.
CVSS Score
6.5
MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Gitea | Gitea | < 1.25.4 |
Related Weaknesses (CWE)
References
- https://blog.gitea.com/release-of-1.25.4/Release Notes
- https://github.com/go-gitea/gitea/pull/36346Issue TrackingPatch
- https://github.com/go-gitea/gitea/pull/36361Issue TrackingPatch
- https://github.com/go-gitea/gitea/releases/tag/v1.25.4Release Notes
- https://github.com/go-gitea/gitea/security/advisories/GHSA-jrpc-w85r-hgqxBroken Link
FAQ
What is CVE-2026-20904?
CVE-2026-20904 is a vulnerability with a CVSS score of 6.5 (MEDIUM). Gitea does not properly validate ownership when toggling OpenID URI visibility. An authenticated user may be able to change the visibility settings of other users' OpenID identities.
How severe is CVE-2026-20904?
CVE-2026-20904 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-20904?
Check the references section above for vendor advisories and patch information. Affected products include: Gitea Gitea.