CVE-2026-20800

Publication date

2026-01-22 22:01:50

Family

Gitea

State

PUBLISHED

Description

Giteas notification API does not re-validate repository access permissions when returning notification details. After a users access to a private repository is revoked, they may still view issue and pull request titles through previously received notifications.