CVE-2020-13246
Description
An issue was discovered in Gitea through 1.11.5. An attacker can trigger a deadlock by initiating a transfer of a repository's ownership from one organization to another.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Gitea before 1.11.5 allows an attacker to freeze the server by starting a repository ownership transfer between organizations, causing a deadlock.
Root
Cause In Gitea versions up to 1.11.5, the function handling the transfer of repository ownership between organizations could trigger a deadlock. The issue arises from improper synchronization when retrieving organization teams during the transfer process, leading to a waitgroup counter mismatch and a server panic [1][2].
Attack
Vector An authenticated user who has the ability to initiate a repository ownership transfer from one organization to another can exploit this vulnerability. No special privileges beyond basic repository transfer permissions are required. The attack consists of simply starting the transfer operation, which causes the server to become unresponsive [2].
Impact
When the deadlock is triggered, the Gitea server becomes completely frozen, failing to process any further requests. In the log excerpt provided by the reporter, the server enters a state where it must be forcefully shut down (hammered) and restarted, resulting in a denial of service [2]. The panic message sync: negative WaitGroup counter confirms a concurrency bug [2].
Mitigation
The vulnerability was addressed in Gitea version 1.11.6. The fix is contained in pull request #11438, which modified how organization teams are retrieved during ownership transfers, using sessions to avoid the deadlock condition [3]. Users running Gitea versions through 1.11.5 should upgrade immediately to a patched release.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/go-gitea/giteaGo | < 1.12.0 | 1.12.0 |
Affected products
3- Gitea/Giteadescription
- osv-coords2 versions
< 1.11.6+ 1 more
- (no CPE)range: < 1.11.6
- (no CPE)range: < 1.12.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-g2qx-6ghw-67hmghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-13246ghsaADVISORY
- github.com/go-gitea/gitea/issues/10549ghsax_refsource_MISCWEB
- github.com/go-gitea/gitea/pull/11438ghsax_refsource_MISCWEB
- www.youtube.com/watchghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.