CVE-2026-25038
Gitea · Open Source Git Server
Gitea 1.26.2 contains an improper authorization vulnerability that allows unauthenticated users to access labels belonging to private organizations.
Executive summary
A critical authorization bypass in Gitea 1.26.2 permits unauthenticated users to access sensitive labels of private organizations, posing a risk to information confidentiality.
Vulnerability
This is an improper authorization vulnerability (CWE-862) and an information exposure flaw (CWE-200) where the application fails to perform necessary capability checks. The vulnerability is exploitable by unauthenticated remote attackers.
Business impact
The vulnerability carries a CVSS score of 7.5, indicating a high severity risk. Successful exploitation allows unauthorized parties to view sensitive metadata regarding private projects, which can lead to the exposure of internal organization structures and project naming conventions, potentially aiding in further targeted attacks against the organization.
Remediation
Immediate Action: Upgrade Gitea to version v1.26.3 or later immediately to resolve the authorization flaw.
Proactive Monitoring: Review web access logs for unusual patterns of requests directed at label-related endpoints, particularly those originating from unauthorized or external IP addresses.
Compensating Controls: Implement strict network access controls (ACLs) to restrict access to the Gitea instance to known, trusted IP ranges where possible to minimize exposure to external threats.
Exploitation status
Public Exploit Available: True
Analyst recommendation
The presence of a public exploit significantly elevates the risk of this vulnerability. Administrators must prioritize the upgrade to v1.26.3 to close this unauthorized access vector and prevent the leakage of sensitive organizational metadata.