Gitea: community verdicts
3 notable / known-exploited Gitea CVEs the community has triaged.
ⓘ Not an exhaustive list: we focus on the findings that matter (exploited / notable). For every Gitea CVE, see NVD ↗.
- CVE-2026-20897CRIT 9.1Real · low riskEPSS 0%
Gitea does not properly validate repository ownership when deleting Git LFS locks. A user with write access to one repository may be able to delete LFS locks belonging to other repositories.
- CVE-2026-20912CRIT 9.1Real · low riskEPSS 0%
Gitea does not properly validate repository ownership when linking attachments to releases. An attachment uploaded to a private repository could potentially be linked to a release in a different public repository, making it accessible to unauthorized users.
- CVE-2026-20750CRIT 9.1Real · low riskEPSS 0%
Gitea does not properly validate project ownership in organization project operations. A user with project write access in one organization may be able to modify projects belonging to a different organization.