CVE-2026-20904

EUVD-2026-4262
Gitea does not properly validate ownership when toggling OpenID URI visibility. An authenticated user may be able to change the visibility settings of other users' OpenID identities.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.5 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
CISA-ADPADP
6.5 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 1%
Affected Products (NVD)
VendorProductVersion
giteagitea
𝑥
< 1.25.4
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://blog.gitea.com/release-of-1.25.4/
https://github.com/go-gitea/gitea/pull/36346
https://github.com/go-gitea/gitea/pull/36361
https://github.com/go-gitea/gitea/releases/tag/v1.25.4
https://github.com/go-gitea/gitea/security/advisories/GHSA-jrpc-w85r-hgqx