Listen to this Post
How the CVE Works
The vulnerability resides in the API endpoint responsible for toggling the visibility (/api/v1/user/openid/visibility) of a user’s linked OpenID Connect identity. The endpoint accepts an `id` parameter to specify which OpenID identity to modify. The application fails to verify that the authenticated user making the POST request is the legitimate owner of the OpenID identity referenced by the provided id. An attacker can exploit this by sending a crafted request with the `id` of another user’s OpenID identity. This lack of server-side ownership validation allows any authenticated user to change the visibility (e.g., from private to public) of any other user’s stored OpenID URIs, potentially exposing sensitive identifiers.
dailycve
Platform: Gitea
Version: Multiple versions
Vulnerability: Improper ownership validation
Severity: Moderate
date: 2026-01-23
Prediction: 2026-02-13
What Undercode Say
$ curl -X POST 'https://target/api/v1/user/openid/visibility' \
-H 'Authorization: token <ATTACKER_TOKEN>' \
-H 'Content-Type: application/json' \
-d '{"id": 12345}'
The ID '12345' belongs to a victim user.
Pseudo-Code of Flawed Function
func ToggleOpenIDVisibility(id int64) {
// Missing check: currentUser.ID != openidIdentity.OwnerID
openidIdentity := GetOpenIDByID(id)
openidIdentity.Hide = !openidIdentity.Hide
Save(openidIdentity) // Vulnerability is here
}
How Exploit
- Attacker authenticates to Gitea and obtains an API token.
- Attacker enumerates or guesses the target OpenID identity `id` (e.g., via other information leaks).
- Attacker sends a POST request to `/api/v1/user/openid/visibility` with the victim’s
id. - The server toggles the visibility state without ownership checks, potentially exposing the victim’s private OpenID URI.
Protection from this CVE
Apply official patch.
Implement ownership validation.
Add ACL checks.
Impact
Unauthorized data modification.
Sensitive information exposure.
Privacy violation.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

