What is the CVSS score of CVE-2026-20897?

CVE-2026-20897 has a CVSS 3.1 base score of 9.1 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N. EPSS exploitation probability: 0.0%.

Which versions of Gitea are affected by CVE-2026-20897?

A critical vulnerability in Gitea allows users with write access to one repository to maliciously delete Git LFS locks in other repositories, potentially corrupting or blocking access to shared…. A patch is available.

How to fix or mitigate CVE-2026-20897?

Within 24 hours: Assess your Gitea deployment version and confirm if you are running an affected version. Within 7 days: Apply the available vendor patch to all Gitea instances in your environment and test functionality in a staging environment first. Within 30 days: Conduct a security audit of repository access logs to identify if this vulnerability was exploited, and implement mandatory code review processes for LFS lock modifications.

Gitea CVE-2026-20897

CRITICAL

Improper Access Control (CWE-284)

2026-01-22 88ee5874-cf24-4952-aea0-31affedb7ff2

GHSA-393c-qgvj-3xph

Authentication Bypass Gitea Red Hat Suse

9.1

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

9.1 CRITICAL

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

SUSE

CRITICAL

qualitative

Red Hat

9.1 CRITICAL

qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:54 vuln.today

Patch released

Jan 29, 2026 - 22:02 nvd

Patch available

CVE Published

Jan 22, 2026 - 22:16 nvd

CRITICAL 9.1

DescriptionCVE.org

Gitea does not properly validate repository ownership when deleting Git LFS locks. A user with write access to one repository may be able to delete LFS locks belonging to other repositories.

AnalysisAI

Gitea fails to validate repository ownership when deleting Git LFS locks, allowing users with write access to one repo to delete LFS locks in other repositories.

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Authenticate to Gitea instance

Delivery

Access repository with write permissions

Exploit

Send crafted LFS lock deletion request

Execution

Delete locks from unrelated repository

Impact

Disrupt other users' work

Access

Authenticate to Gitea instance

Delivery

Access repository with write permissions

Exploit

Send crafted LFS lock deletion request

Execution

Delete locks from unrelated repository

Impact

Disrupt other users' work

Vulnerability AssessmentAI

Exploitation	Gitea instance with Git LFS enabled and attacker possessing write access to any single repository. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	CVSS 9.1 with patch. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker with write access to Repo A deletes LFS locks on Repo B, causing concurrent push conflicts that could corrupt large binary assets or disrupt CI/CD pipelines.
Remediation	Update Gitea to the patched version. Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Assess your Gitea deployment version and confirm if you are running an affected version. …

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-28737 HIGH This Week

8.7 Jun 17

Stored cross-site scripting in Gitea 1.25.x affects the built-in 3D file viewer (Online3DViewer integration) where a cra

CVE-2026-26231 HIGH This Week

8.5 Jun 16

Authorization bypass in Gitea versions up to and including 1.26.1 allows any authenticated user with mere read access to

CVE-2026-28699 HIGH This Week

8.1 Jun 16

OAuth2 scope enforcement bypass in Gitea <= 1.26.1 allows any OAuth2 access token to perform write actions far beyond it

CVE-2026-28744 HIGH This Week

8.1 Jun 16

Authorization scope bypass in Gitea v1.26.1 and earlier allows authenticated users to use OAuth2/PAT Bearer tokens to pe

CVE-2026-24791 HIGH This Week

8.1 Jun 17

Authorization bypass in Gitea versions 1.22.3 through 1.26.1 allows holders of `public-only` access tokens or OAuth gran

Vendor StatusVendor

SUSE

Severity: Critical

Product	Status
openSUSE Leap 15.6	Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP5	Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP6	Fixed
openSUSE Leap 15.5	Fixed

CVE-2026-20897 vulnerability details – vuln.today

Back

Gitea CVE-2026-20897

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

More from same product – last 7 days

Vendor StatusVendor

SUSE

Share

External POC / Exploit Code