CVE-2025-69413

Medium CVSS: 5.3

In Gitea before 1.25.2, /api/v1/user has different responses for failed authentication depending on whether a username exists.

Vendor

Product

CWE

Yayın Tarihi

2026-01-01 05:16:03

Güncelleme

2026-01-06 19:27:57

Source Identifier

cve@mitre.org

KEV Date Added

CWE-204 Gitea MEDIUM Gitea 2026

https://blog.gitea.com/release-of-1.25.2/ https://github.com/go-gitea/gitea/issues/35984 https://github.com/go-gitea/gitea/pull/36002 https://github.com/go-gitea/gitea/releases/tag/v1.25.2

Medium

CVE-2026-20904

Gitea does not properly validate ownership when toggling OpenID URI visibility. An authenticated user may be able to cha…

Critical

CVE-2026-20912

Gitea does not properly validate repository ownership when linking attachments to releases. An attachment uploaded to a…

Critical

CVE-2026-20897

Gitea does not properly validate repository ownership when deleting Git LFS locks. A user with write access to one repos…

High

CVE-2026-20736

Gitea does not properly verify repository context when deleting attachments. A user who previously uploaded an attachmen…

Critical

CVE-2026-20750

Gitea does not properly validate project ownership in organization project operations. A user with project write access…

Medium

CVE-2026-20800

Gitea's notification API does not re-validate repository access permissions when returning notification details. After a…