CVE-2026-0798

Severity CVSS v4.0:

Pending analysis

Type:

CWE-284 Improper Access Control

Publication date:

22/01/2026

Last modified:

22/01/2026

Description

Gitea may send release notification emails for private repositories to users whose access has been revoked. When a repository is changed from public to private, users who previously watched the repository may continue to receive release notifications, potentially disclosing release titles, tags, and content.

Impact

References to Advisories, Solutions, and Tools

https://blog.gitea.com/release-of-1.25.4/
https://github.com/go-gitea/gitea/pull/36319
https://github.com/go-gitea/gitea/releases/tag/v1.25.4
https://github.com/go-gitea/gitea/security/advisories/GHSA-f4wq-6ww5-m56p