Improper access control in Gitea - CVE-2026-24451
Published: June 22, 2026
Vulnerability identifier: #VU135005
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-24451
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: The Gitea Authors
Affected software:
Gitea
Gitea
Detailed vulnerability description
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper access control in the POST /api/v1/repos/{owner}/{repo}/merge-upstream endpoint when synchronizing a fork with its parent repository after the parent repository has been changed from public to private. A remote user can call the merge-upstream API on a previously created fork to disclose sensitive information.
The issue only affects repositories that were forked while the parent repository was public, and only content synchronized into the fork after the visibility change becomes exposed.
How to mitigate CVE-2026-24451
Install security update from vendor's website.