CVE-2026-0798: CWE-284: Improper Access Control in Gitea Gitea Open Source Git Server
CVE-2026-0798 is a low-severity improper access control vulnerability in the Gitea open source Git server. It causes release notification emails for private repositories to be sent to users who no longer have access, potentially leaking release titles, tags, and content. This occurs when a repository is changed from public to private but prior watchers still receive notifications. Exploitation requires the user to have had prior access and involves user interaction (email receipt). The vulnerability impacts confidentiality but not integrity or availability. No known exploits are reported in the wild. European organizations using Gitea for private code hosting should review notification settings and access controls to prevent unintended information disclosure.
AI Analysis
Technical Summary
CVE-2026-0798 is an improper access control vulnerability (CWE-284) identified in the Gitea open source Git server, which is used for hosting Git repositories. The issue arises when a repository's visibility is changed from public to private. Despite the change, users who previously watched the repository continue to receive release notification emails. These notifications include metadata such as release titles, tags, and potentially content details, which can disclose sensitive information to unauthorized users whose access has been revoked. The vulnerability stems from Gitea's failure to update or restrict notification recipients based on the current access permissions after the repository's visibility changes. The CVSS 3.1 base score is 3.5 (low severity), reflecting that the attack vector is network-based (email), requires low privileges (the user must have been a watcher before), and requires user interaction (reading the email). The impact is limited to confidentiality as no integrity or availability impacts are reported. There are no known exploits in the wild, and no patches or mitigation links are currently provided. This vulnerability highlights a gap in access control enforcement in notification mechanisms within Gitea, potentially leading to unintended information disclosure.
Potential Impact
For European organizations using Gitea to manage private repositories, this vulnerability could lead to unauthorized disclosure of sensitive project information such as release details and code changes. While the impact is limited to confidentiality and does not affect system integrity or availability, leaking release metadata could aid adversaries in reconnaissance or intellectual property theft. Organizations with strict data privacy regulations, such as GDPR, may face compliance risks if sensitive information is inadvertently disclosed. The risk is higher for organizations that frequently change repository visibility or have many external collaborators who may have had prior access. However, since exploitation requires prior watcher status and user interaction, the overall risk is moderate to low. Still, sensitive projects or those involving regulated data should consider this a notable risk to their confidentiality posture.
Mitigation Recommendations
European organizations should audit their Gitea instances to identify repositories recently changed from public to private and review the list of watchers or notification recipients. Temporarily disabling release notifications or customizing notification settings to exclude former watchers can reduce exposure. Administrators should monitor Gitea updates for patches addressing this vulnerability and apply them promptly once available. Implementing additional access control checks in notification workflows or using external notification systems with stricter access validation can help mitigate the issue. Educating users to recognize and report unexpected release notifications is also advisable. For critical repositories, consider restricting repository visibility changes or using alternative secure communication channels for release announcements until the vulnerability is resolved.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Belgium
CVE-2026-0798: CWE-284: Improper Access Control in Gitea Gitea Open Source Git Server
Description
CVE-2026-0798 is a low-severity improper access control vulnerability in the Gitea open source Git server. It causes release notification emails for private repositories to be sent to users who no longer have access, potentially leaking release titles, tags, and content. This occurs when a repository is changed from public to private but prior watchers still receive notifications. Exploitation requires the user to have had prior access and involves user interaction (email receipt). The vulnerability impacts confidentiality but not integrity or availability. No known exploits are reported in the wild. European organizations using Gitea for private code hosting should review notification settings and access controls to prevent unintended information disclosure.
AI-Powered Analysis
Technical Analysis
CVE-2026-0798 is an improper access control vulnerability (CWE-284) identified in the Gitea open source Git server, which is used for hosting Git repositories. The issue arises when a repository's visibility is changed from public to private. Despite the change, users who previously watched the repository continue to receive release notification emails. These notifications include metadata such as release titles, tags, and potentially content details, which can disclose sensitive information to unauthorized users whose access has been revoked. The vulnerability stems from Gitea's failure to update or restrict notification recipients based on the current access permissions after the repository's visibility changes. The CVSS 3.1 base score is 3.5 (low severity), reflecting that the attack vector is network-based (email), requires low privileges (the user must have been a watcher before), and requires user interaction (reading the email). The impact is limited to confidentiality as no integrity or availability impacts are reported. There are no known exploits in the wild, and no patches or mitigation links are currently provided. This vulnerability highlights a gap in access control enforcement in notification mechanisms within Gitea, potentially leading to unintended information disclosure.
Potential Impact
For European organizations using Gitea to manage private repositories, this vulnerability could lead to unauthorized disclosure of sensitive project information such as release details and code changes. While the impact is limited to confidentiality and does not affect system integrity or availability, leaking release metadata could aid adversaries in reconnaissance or intellectual property theft. Organizations with strict data privacy regulations, such as GDPR, may face compliance risks if sensitive information is inadvertently disclosed. The risk is higher for organizations that frequently change repository visibility or have many external collaborators who may have had prior access. However, since exploitation requires prior watcher status and user interaction, the overall risk is moderate to low. Still, sensitive projects or those involving regulated data should consider this a notable risk to their confidentiality posture.
Mitigation Recommendations
European organizations should audit their Gitea instances to identify repositories recently changed from public to private and review the list of watchers or notification recipients. Temporarily disabling release notifications or customizing notification settings to exclude former watchers can reduce exposure. Administrators should monitor Gitea updates for patches addressing this vulnerability and apply them promptly once available. Implementing additional access control checks in notification workflows or using external notification systems with stricter access validation can help mitigate the issue. Educating users to recognize and report unexpected release notifications is also advisable. For critical repositories, consider restricting repository visibility changes or using alternative secure communication channels for release announcements until the vulnerability is resolved.
Affected Countries
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Gitea
- Date Reserved
- 2026-01-08T23:02:08.534Z
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 6972a2c84623b1157c93280d
Added to database: 1/22/2026, 10:20:56 PM
Last enriched: 1/30/2026, 10:13:12 AM
Last updated: 2/5/2026, 9:56:43 AM
Views: 41
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2026-1654: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in pkthree Peter’s Date Countdown
MediumCVE-2026-1294: CWE-918 Server-Side Request Forgery (SSRF) in bplugins All In One Image Viewer Block – Gutenberg block to create image viewer with hyperlink
HighCVE-2026-1271: CWE-639 Authorization Bypass Through User-Controlled Key in metagauss ProfileGrid – User Profiles, Groups and Communities
MediumCVE-2025-14079: CWE-862 Missing Authorization in elextensions ELEX WordPress HelpDesk & Customer Ticketing System
MediumMicrosoft Develops Scanner to Detect Backdoors in Open-Weight Large Language Models
LowActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.