Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2026-20904

Опубликовано: 22 янв. 2026
Источник: redhat
CVSS3: 6.5
EPSS Низкий

Описание

Gitea does not properly validate ownership when toggling OpenID URI visibility. An authenticated user may be able to change the visibility settings of other users' OpenID identities.

An access control flaw has been discovered in Gitea. Gitea does not properly validate ownership when toggling OpenID URI visibility. An authenticated user may be able to change the visibility settings of other users' OpenID identities.

Меры по смягчению последствий

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
OpenShift Pipelinesopenshift-pipelines/pipelines-opc-rhel9Not affected
OpenShift Pipelinesopenshift-pipelines/pipelines-pipelines-as-code-cli-rhel8Not affected
OpenShift Pipelinesopenshift-pipelines/pipelines-pipelines-as-code-cli-rhel9Not affected
OpenShift Pipelinesopenshift-pipelines/pipelines-pipelines-as-code-controller-rhel8Not affected
OpenShift Pipelinesopenshift-pipelines/pipelines-pipelines-as-code-controller-rhel9Not affected
OpenShift Pipelinesopenshift-pipelines/pipelines-pipelines-as-code-watcher-rhel8Not affected
OpenShift Pipelinesopenshift-pipelines/pipelines-pipelines-as-code-watcher-rhel9Not affected
OpenShift Pipelinesopenshift-pipelines/pipelines-pipelines-as-code-webhook-rhel8Not affected
OpenShift Pipelinesopenshift-pipelines/pipelines-pipelines-as-code-webhook-rhel9Not affected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-639
https://bugzilla.redhat.com/show_bug.cgi?id=2432217gitea: Gitea: Broken access control in OpenID visibility toggle enables cross-user visibility changes

EPSS

Процентиль: 1%
0.00011
Низкий

6.5 Medium

CVSS3

Связанные уязвимости

nvd логотип

CVE-2026-20904

CVSS3: 6.5
nvd
2 месяца назад

Gitea does not properly validate ownership when toggling OpenID URI visibility. An authenticated user may be able to change the visibility settings of other users' OpenID identities.

debian логотип

CVE-2026-20904

CVSS3: 6.5
debian
2 месяца назад

Gitea does not properly validate ownership when toggling OpenID URI vi ...

redos логотип

ROS-20260224-73-0026

CVSS3: 6.5
redos
около 1 месяца назад

Уязвимость gitea

github логотип

GHSA-qqgv-v353-cv8p

github
2 месяца назад

Gitea does not properly validate ownership when toggling OpenID URI visibility

EPSS

Процентиль: 1%
0.00011
Низкий

6.5 Medium

CVSS3