CVE-2026-58419

Gitea · Gitea Open Source Git Server

The Gitea Notification API leaks private issue metadata even after access has been revoked, resulting in an information disclosure vulnerability.

Executive summary

A high-severity information disclosure vulnerability in the Gitea Notification API allows unauthorized access to private issue metadata, necessitating an immediate update to version 1.26.3 or later.

Vulnerability

The vulnerability is an information disclosure flaw (CWE-200) within the Notification API. It occurs because the API fails to correctly enforce access control checks when retrieving issue metadata, allowing users to view sensitive information even after their access permissions have been revoked.

Business impact

The CVSS score of 7.5 (High) highlights the risk to sensitive intellectual property. If exploited, an attacker could gain visibility into private development issues, security vulnerabilities, or project roadmaps, leading to significant competitive harm and loss of confidentiality for all projects hosted on the affected Gitea instance.

Remediation

Immediate Action: Update Gitea to version 1.26.3 or higher immediately to apply the necessary access control patches.

Proactive Monitoring: Review audit logs for suspicious API access patterns, particularly queries directed at the Notification API that may have been performed by users whose access was recently revoked.

Compensating Controls: If an immediate update is not feasible, restrict public access to the Gitea API and implement IP-based access controls to limit the surface area available to potential attackers.

Exploitation status

Public Exploit Available: True

Analyst recommendation

This vulnerability represents a significant risk to the confidentiality of development environments. Organizations should prioritize updating their Gitea instances to version 1.26.3 or later to ensure that access control logic is correctly enforced for all API endpoints.