Gitea, Improper Repository Ownership Validation, Moderate Severity

Listen to this Post

The vulnerability in Gitea stems from inadequate validation checks during the attachment linking process for releases. When a user uploads a file as an attachment to a private repository, Gitea assigns it a unique identifier and stores it with metadata including the repository ID. However, when this attachment is linked to a release through the API or web interface, the system fails to verify that the attachment’s repository ID matches the repository ID of the release being modified. This flaw exists in the code responsible for associating attachments with releases, specifically in functions that handle POST requests to endpoints like /api/v1/repos/:owner/:repo/releases/:id/assets. An attacker with upload permissions to any private repository can exploit this by first uploading a sensitive file, capturing its attachment UUID, and then crafting a HTTP request to link that UUID to a release in a publicly accessible repository. The server processes this request without validating cross-repository ownership, thereby creating an association that bypasses the private repository’s access controls. Consequently, the attached file becomes accessible to anyone who can view the public release, leading to unauthorized data disclosure. The issue is rooted in the omission of a repository ID comparison step before saving the attachment-release link in the database. This allows the attachment from a private context to be leaked through a public channel, undermining the integrity of repository privacy settings. The vulnerability is particularly critical in multi-user environments where public and private repositories coexist, as it can be leveraged to exfiltrate confidential data without direct access to the private repository itself.
Platform: Gitea
Version: Prior to patch
Vulnerability: Improper ownership validation
Severity: Moderate
Date: Jan 23 2026

Prediction: Patch expected soon

What Undercode Say:

Analytics

Bash commands:

  • Check version: `gitea –version`
    – Exploit curl: `curl -X POST -H “Authorization: token ” -H “Content-Type: application/json” -d ‘{“attachment_id”:”“}’ https://gitea.example.com/api/v1/repos/public/repo/releases/1/assets`

Code snippet:

// Vulnerable function example
func LinkAttachment(attachID, releaseID int64) {
att := GetAttachment(attachID)
rel := GetRelease(releaseID)
// Missing: if att.RepoID != rel.RepoID { return error }
db.Save(&ReleaseAttachment{AttachmentID: attachID, ReleaseID: releaseID})
}

how Exploit:

Attacker uploads to private repo, obtains attachment UUID, links to public release via API, exposing file.

Protection from this CVE

Update Gitea version, validate repository ownership, restrict cross-repository linking.

Impact:

Unauthorized data access, privacy breach, information leakage.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top