CVE-2026-20904
Gitea: Broken access control in OpenID visibility toggle enables cross-user visibility changes
6.5
MEDIUM
CVSS 3.1
EPSS 0.02%
Description
Gitea does not properly validate ownership when toggling OpenID URI visibility. An authenticated user may be able to change the visibility settings of other users' OpenID identities.
How to fix CVE-2026-20904
To remediate CVE-2026-20904, upgrade the affected package to a fixed version below.
- Bitnami/gitea—upgrade to 1.25.4 or later
- —upgrade to 1.25.4 or later
- —upgrade to 1.25.4 or later
Is CVE-2026-20904 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (3)
- from 0, < 1.25.4
- from 0, < 1.25.4
- from 0, < 1.25.4
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | MEDIUM6.5 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N |