Low severityOSV Advisory· Published Jan 22, 2026· Updated Jan 23, 2026
Gitea Release Email Notifications Leak Private Repository Release Details After Access Revocation
CVE-2026-0798
Description
Gitea may send release notification emails for private repositories to users whose access has been revoked. When a repository is changed from public to private, users who previously watched the repository may continue to receive release notifications, potentially disclosing release titles, tags, and content.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
code.gitea.io/giteaGo | < 1.25.4 | 1.25.4 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- github.com/go-gitea/gitea/pull/36319ghsapatchWEB
- github.com/advisories/GHSA-8fwc-qjw5-rvgpghsaADVISORY
- github.com/go-gitea/gitea/security/advisories/GHSA-f4wq-6ww5-m56pmitrevendor-advisory
- nvd.nist.gov/vuln/detail/CVE-2026-0798ghsaADVISORY
- blog.gitea.com/release-of-1.25.4ghsaWEB
- blog.gitea.com/release-of-1.25.4/mitrerelease-notes
- github.com/go-gitea/gitea/releases/tag/v1.25.4ghsarelease-notesWEB
News mentions
0No linked articles in our index yet.