CVE-2026-25712

Gitea · Open Source Git Server

Gitea versions before 1.25.5 exhibit insufficient visibility checks within organization permission APIs, potentially exposing private information about hidden members and organizations.

Executive summary

Insufficient visibility checks in Gitea versions prior to 1.25.5 allow for the unauthorized exposure of private organization member data.

Vulnerability

The vulnerability involves improper access control (CWE-284) within the organization permission APIs. This allows an unauthenticated attacker to bypass visibility restrictions that should otherwise hide specific members and private organization details.

Business impact

With a CVSS score of 7.5, this vulnerability represents a significant risk to the confidentiality of organizational data. Unauthorized access to the list of members or the existence of private organizations can compromise internal security, provide attackers with intelligence for social engineering, or reveal sensitive project information.

Remediation

Immediate Action: Update the Gitea instance to version v1.25.5 or later to apply the necessary visibility permission checks.

Proactive Monitoring: Monitor API logs for anomalous query patterns, specifically those attempting to enumerate members or organization listings from external or unauthenticated sessions.

Compensating Controls: Utilize a Web Application Firewall (WAF) to filter and block suspicious API requests that appear to be performing unauthorized enumeration of organization resources.

Exploitation status

Public Exploit Available: False

Analyst recommendation

Maintaining proper visibility controls is essential for protecting internal organizational structure. Organizations should apply the v1.25.5 update as part of their regular patch management cycle to ensure that sensitive member and organizational data remains protected.