CVE-2026-27660

Gitea · Gitea Open Source Git Server

Gitea versions prior to 1.25.5 contain an authorization flaw that permits unauthorized access to draft release data and attachments.

Executive summary

An authorization vulnerability in Gitea allows unauthenticated or unauthorized users to access sensitive draft release content and attachments.

Vulnerability

This vulnerability (CWE-284) stems from a failure to enforce correct access control checks when retrieving draft release information, allowing actors to bypass security requirements for sensitive project data.

Business impact

This flaw may lead to the premature exposure of proprietary software releases, documentation, or internal attachments, potentially resulting in intellectual property leakage or the exposure of sensitive security information before a product is officially launched. With a CVSS score of 7.5, the vulnerability represents a substantial risk to the confidentiality of development project lifecycles.

Remediation

Immediate Action: Update Gitea to version 1.25.5 or later to resolve the underlying access control bypass.

Proactive Monitoring: Monitor access logs for unauthorized requests directed at release-related endpoints, particularly those targeting draft or unreleased content.

Compensating Controls: Restrict public network access to the Gitea instance if possible, or employ a WAF to filter requests targeting release and attachment APIs.

Exploitation status

Public Exploit Available: No (exploit_available: false)

Analyst recommendation

Administrators should treat this as a high-priority update to ensure that draft release information remains confidential. Immediate patching to version 1.25.5 is strongly recommended to prevent the unauthorized disclosure of sensitive project data.