CVE-2026-20904

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-20904

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-20904.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-20904

Aliases

Published

2026-01-22T22:16:19.130Z

Modified

2026-03-15T22:51:50.344707Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N CVSS Calculator

Summary

[none]

Details

Gitea does not properly validate ownership when toggling OpenID URI visibility. An authenticated user may be able to change the visibility settings of other users' OpenID identities.

References

Affected packages

Git / github.com/go-gitea/gitea

Affected ranges

Type

GIT

Repo

https://github.com/go-gitea/gitea

Events

Introduced

Fixed

369830bada2fd8826a5135cb2fc66660a9bef708

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.25.4"
        }
    ]
}

Affected versions

v0.*

v0.9.99

v1.*

v1.0.0

v1.1.0

v1.10.0-dev

v1.10.0-rc1

v1.10.5

v1.11.0-dev

v1.11.0-rc1

v1.12.0-dev

v1.13.0-dev

v1.14.0-dev

v1.15.0-dev

v1.15.0-rc1

v1.16.0-dev

v1.16.0-rc1

v1.17.0-dev

v1.18.0-dev

v1.18.0-rc0

v1.19.0-dev

v1.19.0-rc0

v1.20.0-dev

v1.20.0-rc0

v1.21.0-dev

v1.21.0-rc0

v1.22.0-dev

v1.22.0-rc0

v1.22.0-rc1

v1.23.0-dev

v1.24.0-dev

v1.25.0

v1.25.0-dev

v1.25.0-rc0

v1.25.1

v1.25.2

v1.25.3

v1.26.0-dev

v1.5.0-dev

v1.5.0-rc1

v1.6.0-dev

v1.6.0-rc1

v1.7.0-dev

v1.9.0-dev

v1.9.0-rc1

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-20904.json"