CVE-2018-1000803
Description
Gitea version prior to version 1.5.1 contains a CWE-200 vulnerability that can result in Exposure of users private email addresses. This attack appear to be exploitable via Watch a repository to receive email notifications. Emails received contain the other recipients even if they have the email set as private. This vulnerability appears to have been fixed in 1.5.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Gitea 1.5.0 and earlier exposed private email addresses of all watchers in notification emails, fixed in 1.5.1.
Vulnerability
Gitea versions prior to 1.5.1 contain a vulnerability (CWE-200) that exposes users' private email addresses when repository watchers receive email notifications. The SendIssueCommentMail and SendIssueMentionMail functions in models/issue_mail.go sent a batch list of recipient email addresses, including those of users who had set their email as private, to all recipients in the CC list. This affected all watchers of a repository who receive issue or mention notifications [1].
Exploitation
An attacker needs no special privileges beyond being a user of the Gitea instance and watching a repository (or being mentioned in an issue). When an issue comment or mention notification is generated, the email sent to each recipient contains the email addresses of all other recipients in the To/CC header. No user interaction beyond watching the repository or being mentioned is required; the exposure occurs automatically upon email delivery [1][2].
Impact
Successful exploitation results in the disclosure of users' private email addresses to other repository watchers or participants in the thread. This violates the confidentiality of users who have configured their email as private, contradicting the expected behavior where private emails should not be shared. The impact is limited to information disclosure and does not enable code execution or privilege escalation [1][2].
Mitigation
The vulnerability was fixed in Gitea version 1.5.1, released on September 2018. The fix introduced per-recipient email sending, so each email is sent individually rather than in a batch, preventing disclosure of other recipients' addresses. The commit 194a11eb110cd98fc2ba52861abf7770db6885a3 in pull request #4664 implemented the change [2][3][4]. Users should upgrade to Gitea 1.5.1 or later. No workaround is available for earlier versions [1].
- NVD - CVE-2018-1000803
- Don't disclose emails of all users when sending out emails by techknowlogick · Pull Request #4664 · go-gitea/gitea
- Don't disclose emails of all users when sending out emails by techknowlogick · Pull Request #4664 · go-gitea/gitea
- Don't disclose emails of all users when sending out emails (#4664) · go-gitea/gitea@194a11e
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/go-gitea/giteaGo | < 1.5.1 | 1.5.1 |
Affected products
1Patches
1194a11eb110cDon't disclose emails of all users when sending out emails (#4664)
1 file changed · +10 −2
models/issue_mail.go+10 −2 modified@@ -1,4 +1,5 @@ // Copyright 2016 The Gogs Authors. All rights reserved. +// Copyright 2018 The Gitea Authors. All rights reserved. // Use of this source code is governed by a MIT-style // license that can be found in the LICENSE file. @@ -87,7 +88,9 @@ func mailIssueCommentToParticipants(e Engine, issue *Issue, doer *User, content names = append(names, participants[i].Name) } - SendIssueCommentMail(issue, doer, content, comment, tos) + for _, to := range tos { + SendIssueCommentMail(issue, doer, content, comment, []string{to}) + } // Mail mentioned people and exclude watchers. names = append(names, doer.Name) @@ -99,7 +102,12 @@ func mailIssueCommentToParticipants(e Engine, issue *Issue, doer *User, content tos = append(tos, mentions[i]) } - SendIssueMentionMail(issue, doer, content, comment, getUserEmailsByNames(e, tos)) + + emails := getUserEmailsByNames(e, tos) + + for _, to := range emails { + SendIssueMentionMail(issue, doer, content, comment, []string{to}) + } return nil }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-f5fj-7265-jxhjghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-1000803ghsaADVISORY
- github.com/go-gitea/gitea/commit/194a11eb110cd98fc2ba52861abf7770db6885a3ghsaWEB
- github.com/go-gitea/gitea/pull/4664ghsax_refsource_CONFIRMWEB
- github.com/go-gitea/gitea/pull/4664/filesghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.