CVE-2026-0798

Description

Gitea may send release notification emails for private repositories to users whose access has been revoked. When a repository is changed from public to private, users who previously watched the repository may continue to receive release notifications, potentially disclosing release titles, tags, and content.

CVSS Details

CVSS Score

3.5

Severity

LOW

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:gitea:gitea:*:*:*:*:*:-:*:* - VULNERABLE

Gitea < 1.25.4

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

暂无公开的PoC代码

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-0798
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-0798
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-0798/
[4] VulDB https://vuldb.com/cve/CVE-2026-0798
[5] https://blog.gitea.com/release-of-1.25.4/
[6] https://github.com/go-gitea/gitea/pull/36319
[7] https://github.com/go-gitea/gitea/releases/tag/v1.25.4
[8] https://github.com/go-gitea/gitea/security/advisories/GHSA-f4wq-6ww5-m56p

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-0798", "sourceIdentifier": "88ee5874-cf24-4952-aea0-31affedb7ff2", "published": "2026-01-22T22:16:15.957", "lastModified": "2026-01-29T21:59:24.397", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Gitea may send release notification emails for private repositories to users whose access has been revoked. When a repository is changed from public to private, users who previously watched the repository may continue to receive release notifications, potentially disclosing release titles, tags, and content."}, {"lang": "es", "value": "Gitea puede enviar correos electrónicos de notificación de lanzamiento para repositorios privados a usuarios cuyo acceso ha sido revocado. Cuando un repositorio cambia de público a privado, los usuarios que previamente seguían el repositorio pueden seguir recibiendo notificaciones de lanzamiento, divulgando potencialmente títulos de lanzamiento, etiquetas y contenido."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N", "baseScore": 3.5, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.1, "impactScore": 1.4}]}, "weaknesses": [{"source": "88ee5874-cf24-4952-aea0-31affedb7ff2", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-284"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:gitea:gitea:*:*:*:*:*:-:*:*", "versionEndExcluding": "1.25.4", "matchCriteriaId": "DFCB7D74-331D-4582-AB41-113A25BE8FAA"}]}]}], "references": [{"url": "https://blog.gitea.com/release-of-1.25.4/", "source": "88ee5874-cf24-4952-aea0-31affedb7ff2", "tags": ["Release Notes"]}, {"url": "https://github.com/go-gitea/gitea/pull/36319", "source": "88ee5874-cf24-4952-aea0-31affedb7ff2", "tags": ["Issue Tracking", "Patch"]}, {"url": "https://github.com/go-gitea/gitea/releases/tag/v1.25.4", "source": "88ee5874-cf24-4952-aea0-31affedb7ff2", "tags": ["Release Notes"]}, {"url": "https://github.com/go-gitea/gitea/security/advisories/GHSA-f4wq-6ww5-m56p", "source": "88ee5874-cf24-4952-aea0-31affedb7ff2", "tags": ["Broken Link"]}]}}