CVE-2026-24451

Gitea · Gitea Open Source Git Server

A vulnerability in Gitea 1.26.2 allows unauthorized data access by failing to terminate fork synchronization when a parent repository transitions from public to private visibility.

Executive summary

Gitea 1.26.2 contains a critical authorization flaw that permits unauthorized users to access private repository data via existing repository forks.

Vulnerability

This is an improper authorization and information disclosure vulnerability (CWE-284, CWE-200). The flaw occurs because the system does not verify repository visibility state during fork synchronization, allowing unauthenticated or unauthorized users to continue pulling data from a repository after it has been secured as private.

Business impact

The vulnerability presents a significant risk of intellectual property theft and unauthorized data exposure. With a CVSS score of 9.1, this represents a critical threat, as it allows attackers to bypass access controls on private repositories, potentially leading to the leakage of sensitive source code, credentials, or proprietary business logic.

Remediation

Immediate Action: Upgrade Gitea to version 1.26.3 or later, which contains the fix for this synchronization logic error.

Proactive Monitoring: Audit repository fork relationships and monitor access logs for unusual synchronization requests originating from external or unauthorized forks.

Compensating Controls: Temporarily restrict or disable fork creation for sensitive repositories until the patch can be applied.

Exploitation status

Public Exploit Available: false

Analyst recommendation

Organizations utilizing Gitea must treat this vulnerability with high urgency. Given the critical nature of the flaw, administrators should prioritize the upgrade to version 1.26.3 immediately to prevent the ongoing exposure of private repository content.