CVE-2026-27660
Gitea · Gitea Open Source Git Server
Gitea versions prior to 1.25.5 contain an authorization flaw that permits unauthorized access to draft release data and attachments.
Executive summary
An authorization vulnerability in Gitea allows unauthenticated or unauthorized users to access sensitive draft release content and attachments.
Vulnerability
This vulnerability (CWE-284) stems from a failure to enforce correct access control checks when retrieving draft release information, allowing actors to bypass security requirements for sensitive project data.
Business impact
This flaw may lead to the premature exposure of proprietary software releases, documentation, or internal attachments, potentially resulting in intellectual property leakage or the exposure of sensitive security information before a product is officially launched. With a CVSS score of 7.5, the vulnerability represents a substantial risk to the confidentiality of development project lifecycles.
Remediation
Immediate Action: Update Gitea to version 1.25.5 or later to resolve the underlying access control bypass.
Proactive Monitoring: Monitor access logs for unauthorized requests directed at release-related endpoints, particularly those targeting draft or unreleased content.
Compensating Controls: Restrict public network access to the Gitea instance if possible, or employ a WAF to filter requests targeting release and attachment APIs.
Exploitation status
Public Exploit Available: No (exploit_available: false)
Analyst recommendation
Administrators should treat this as a high-priority update to ensure that draft release information remains confidential. Immediate patching to version 1.25.5 is strongly recommended to prevent the unauthorized disclosure of sensitive project data.