CVE-2026-20897
BaseFortify
Publication date: 2026-01-22
Last updated on: 2026-01-29
Assigner: Gitea Limited
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| gitea | gitea | to 1.25.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Gitea occurs because the system does not properly validate repository ownership when deleting Git LFS locks. As a result, a user who has write access to one repository may be able to delete LFS locks that belong to other repositories, which they should not have permission to modify.
How can this vulnerability impact me? :
The impact of this vulnerability is that unauthorized users with write access to one repository could delete Git LFS locks on other repositories. This could disrupt collaboration and version control processes by allowing users to interfere with locks that protect files in other repositories, potentially leading to data integrity issues or workflow interruptions.