CVE-2026-24451
Gitea · Gitea Open Source Git Server
A vulnerability in Gitea 1.26.2 allows unauthorized data access by failing to terminate fork synchronization when a parent repository transitions from public to private visibility.
Executive summary
Gitea 1.26.2 contains a critical authorization flaw that permits unauthorized users to access private repository data via existing repository forks.
Vulnerability
This is an improper authorization and information disclosure vulnerability (CWE-284, CWE-200). The flaw occurs because the system does not verify repository visibility state during fork synchronization, allowing unauthenticated or unauthorized users to continue pulling data from a repository after it has been secured as private.
Business impact
The vulnerability presents a significant risk of intellectual property theft and unauthorized data exposure. With a CVSS score of 9.1, this represents a critical threat, as it allows attackers to bypass access controls on private repositories, potentially leading to the leakage of sensitive source code, credentials, or proprietary business logic.
Remediation
Immediate Action: Upgrade Gitea to version 1.26.3 or later, which contains the fix for this synchronization logic error.
Proactive Monitoring: Audit repository fork relationships and monitor access logs for unusual synchronization requests originating from external or unauthorized forks.
Compensating Controls: Temporarily restrict or disable fork creation for sensitive repositories until the patch can be applied.
Exploitation status
Public Exploit Available: false
Analyst recommendation
Organizations utilizing Gitea must treat this vulnerability with high urgency. Given the critical nature of the flaw, administrators should prioritize the upgrade to version 1.26.3 immediately to prevent the ongoing exposure of private repository content.