CVE-2026-25712
Gitea · Open Source Git Server
Gitea versions before 1.25.5 exhibit insufficient visibility checks within organization permission APIs, potentially exposing private information about hidden members and organizations.
Executive summary
Insufficient visibility checks in Gitea versions prior to 1.25.5 allow for the unauthorized exposure of private organization member data.
Vulnerability
The vulnerability involves improper access control (CWE-284) within the organization permission APIs. This allows an unauthenticated attacker to bypass visibility restrictions that should otherwise hide specific members and private organization details.
Business impact
With a CVSS score of 7.5, this vulnerability represents a significant risk to the confidentiality of organizational data. Unauthorized access to the list of members or the existence of private organizations can compromise internal security, provide attackers with intelligence for social engineering, or reveal sensitive project information.
Remediation
Immediate Action: Update the Gitea instance to version v1.25.5 or later to apply the necessary visibility permission checks.
Proactive Monitoring: Monitor API logs for anomalous query patterns, specifically those attempting to enumerate members or organization listings from external or unauthenticated sessions.
Compensating Controls: Utilize a Web Application Firewall (WAF) to filter and block suspicious API requests that appear to be performing unauthorized enumeration of organization resources.
Exploitation status
Public Exploit Available: False
Analyst recommendation
Maintaining proper visibility controls is essential for protecting internal organizational structure. Organizations should apply the v1.25.5 update as part of their regular patch management cycle to ensure that sensitive member and organizational data remains protected.