Gitea, Improper Access Control, CVE-2026-XXXX (Moderate)

Listen to this Post

How the CVE Works

The vulnerability resides in the API endpoint responsible for toggling the visibility (/api/v1/user/openid/visibility) of a user’s linked OpenID Connect identity. The endpoint accepts an `id` parameter to specify which OpenID identity to modify. The application fails to verify that the authenticated user making the POST request is the legitimate owner of the OpenID identity referenced by the provided id. An attacker can exploit this by sending a crafted request with the `id` of another user’s OpenID identity. This lack of server-side ownership validation allows any authenticated user to change the visibility (e.g., from private to public) of any other user’s stored OpenID URIs, potentially exposing sensitive identifiers.

dailycve

Platform: Gitea
Version: Multiple versions
Vulnerability: Improper ownership validation
Severity: Moderate
date: 2026-01-23

Prediction: 2026-02-13

What Undercode Say

$ curl -X POST 'https://target/api/v1/user/openid/visibility' \
-H 'Authorization: token <ATTACKER_TOKEN>' \
-H 'Content-Type: application/json' \
-d '{"id": 12345}'
The ID '12345' belongs to a victim user.
Pseudo-Code of Flawed Function
func ToggleOpenIDVisibility(id int64) {
// Missing check: currentUser.ID != openidIdentity.OwnerID
openidIdentity := GetOpenIDByID(id)
openidIdentity.Hide = !openidIdentity.Hide
Save(openidIdentity) // Vulnerability is here
}

How Exploit

  1. Attacker authenticates to Gitea and obtains an API token.
  2. Attacker enumerates or guesses the target OpenID identity `id` (e.g., via other information leaks).
  3. Attacker sends a POST request to `/api/v1/user/openid/visibility` with the victim’s id.
  4. The server toggles the visibility state without ownership checks, potentially exposing the victim’s private OpenID URI.

Protection from this CVE

Apply official patch.

Implement ownership validation.

Add ACL checks.

Impact

Unauthorized data modification.

Sensitive information exposure.

Privacy violation.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top