CVE-2026-0798: Gitea may send release notification emails for private repositories to users whose access has been revoked

January 23, 2026

Gitea may send release notification emails for private repositories to users whose access has been revoked. When a repository is changed from public to private, users who previously watched the repository may continue to receive release notifications, potentially disclosing release titles, tags, and content.

References

blog.gitea.com/release-of-1.25.4
github.com/advisories/GHSA-8fwc-qjw5-rvgp
github.com/go-gitea/gitea
github.com/go-gitea/gitea/pull/36319
github.com/go-gitea/gitea/releases/tag/v1.25.4
nvd.nist.gov/vuln/detail/CVE-2026-0798

Code Behaviors & Features

Detect and mitigate CVE-2026-0798 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →