Moderate severityOSV Advisory· Published Jan 22, 2026· Updated Jan 23, 2026
Gitea: Broken access control in OpenID visibility toggle enables cross-user visibility changes
CVE-2026-20904
Description
Gitea does not properly validate ownership when toggling OpenID URI visibility. An authenticated user may be able to change the visibility settings of other users' OpenID identities.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/go-gitea/giteaGo | < 1.25.4 | 1.25.4 |
Affected products
4- osv-coords3 versionspkg:bitnami/giteapkg:golang/github.com/go-gitea/giteapkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Leap%2015.6
< 1.25.4+ 2 more
- (no CPE)range: < 1.25.4
- (no CPE)range: < 1.25.4
- (no CPE)range: < 0.0.20260205T172317-150000.1.146.1
Patches
Vulnerability mechanics
References
9- github.com/go-gitea/gitea/pull/36346ghsapatchWEB
- github.com/go-gitea/gitea/pull/36361ghsapatchWEB
- github.com/advisories/GHSA-qqgv-v353-cv8pghsaADVISORY
- github.com/go-gitea/gitea/security/advisories/GHSA-jrpc-w85r-hgqxmitrevendor-advisory
- nvd.nist.gov/vuln/detail/CVE-2026-20904ghsaADVISORY
- blog.gitea.com/release-of-1.25.4ghsaWEB
- blog.gitea.com/release-of-1.25.4/mitrerelease-notes
- github.com/go-gitea/gitea/commit/ed5720af2ac94d74f822721c05b42b6148ff9c22ghsaWEB
- github.com/go-gitea/gitea/releases/tag/v1.25.4ghsarelease-notesWEB
News mentions
0No linked articles in our index yet.