CVE-2026-20904: Gitea does not properly validate ownership when toggling OpenID URI visibility
Gitea does not properly validate ownership when toggling OpenID URI visibility. An authenticated user may be able to change the visibility settings of other users’ OpenID identities.
References
- blog.gitea.com/release-of-1.25.4
- github.com/advisories/GHSA-qqgv-v353-cv8p
- github.com/go-gitea/gitea
- github.com/go-gitea/gitea/commit/ed5720af2ac94d74f822721c05b42b6148ff9c22
- github.com/go-gitea/gitea/pull/36346
- github.com/go-gitea/gitea/pull/36361
- github.com/go-gitea/gitea/releases/tag/v1.25.4
- nvd.nist.gov/vuln/detail/CVE-2026-20904
Code Behaviors & Features
Detect and mitigate CVE-2026-20904 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →