CVE-2026-20736: Gitea has improper access control for uploaded attachments

January 23, 2026

Gitea does not properly verify repository context when deleting attachments. A user who previously uploaded an attachment to a repository may be able to delete it after losing access to that repository by making the request through a different repository they can access.

References

blog.gitea.com/release-of-1.25.4
github.com/advisories/GHSA-hgr3-x44x-33hx
github.com/go-gitea/gitea
github.com/go-gitea/gitea/commit/fbea2c68e8df11cfa94e8ead913b79946780ed30
github.com/go-gitea/gitea/pull/36320
github.com/go-gitea/gitea/releases/tag/v1.25.4
nvd.nist.gov/vuln/detail/CVE-2026-20736

Code Behaviors & Features

Detect and mitigate CVE-2026-20736 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →