CVE-2026-20800: Gitea improperly exposes issue and pull request titles

January 23, 2026

Gitea’s notification API does not re-validate repository access permissions when returning notification details. After a user’s access to a private repository is revoked, they may still view issue and pull request titles through previously received notifications.

References

blog.gitea.com/release-of-1.25.4
github.com/advisories/GHSA-2vgv-hgv4-22mh
github.com/go-gitea/gitea
github.com/go-gitea/gitea/commit/67e75f30a83d2523cedc37ad7b03bcba66947833
github.com/go-gitea/gitea/pull/36339
github.com/go-gitea/gitea/releases/tag/v1.25.4
nvd.nist.gov/vuln/detail/CVE-2026-20800

Code Behaviors & Features

Detect and mitigate CVE-2026-20800 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →