CVE-2022-38183
Description
In Gitea before 1.16.9, it was possible for users to add existing issues to projects. Due to improper access controls, an attacker could assign any issue to any project in Gitea (there was no permission check for fetching the issue). As a result, the attacker would get access to private issue titles.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In Gitea before 1.16.9, improper access controls allowed attackers to assign any issue to any project, revealing private issue titles.
Root
Cause
Gitea versions prior to 1.16.9 lacked proper permission checks when users added existing issues to projects. Specifically, the server did not verify that the issue belonged to the same repository as the project, nor that the current user had access to the issue. This allowed any authenticated user to assign any issue—regardless of its visibility—to any project [1][4].
Exploitation
An attacker could exploit this by sending a crafted POST request to the /issues/projects endpoint, supplying the target issue ID and project ID. The request required a valid CSRF token but no additional authorization. The advisory from usd HeroLab includes a proof-of-concept demonstrating assignment of a private issue (ID 7) to an attacker's project (ID 3) [4].
Impact
Successful exploitation gave the attacker read access to the title of any private issue in the Gitea instance. While the full body remained hidden, the title alone could leak sensitive project information. The vulnerability is rated medium severity due to the partial disclosure [1][4].
Mitigation
The issue was addressed in Gitea version 1.16.9, which introduced checks ensuring the issue's repository ID matches the project's repository ID and that the user has appropriate permissions [2]. Users are advised to upgrade to this version or later. No workaround exists for earlier releases.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
code.gitea.io/giteaGo | < 1.16.9 | 1.16.9 |
Affected products
3- Gitea/Giteadescription
- osv-coords2 versions
< 1.16.9+ 1 more
- (no CPE)range: < 1.16.9
- (no CPE)range: < 1.16.9
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
10- github.com/advisories/GHSA-fhv8-m4j4-cww2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-38183ghsaADVISORY
- security.gentoo.org/glsa/202210-14mitrevendor-advisory
- blog.gitea.io/2022/07/gitea-1.16.9-is-releasedghsaWEB
- github.com/go-gitea/gitea/pull/20133ghsaWEB
- github.com/go-gitea/gitea/pull/20196ghsaWEB
- herolab.usd.de/security-advisories/usd-2022-0015ghsaWEB
- pkg.go.dev/vuln/GO-2024-2769ghsaWEB
- blog.gitea.io/2022/07/gitea-1.16.9-is-released/mitre
- herolab.usd.de/security-advisories/usd-2022-0015/mitre
News mentions
0No linked articles in our index yet.