Home > Vulnerability Database > CVE-2026-20904

Mend.io Vulnerability Database

CVE-2026-20904

Good to know:

Date: January 22, 2026

Gitea does not properly validate ownership when toggling OpenID URI visibility. An authenticated user may be able to change the visibility settings of other users' OpenID identities.

Severity Score

6.5

Related Resources (11)

Url: https://github.com/go-gitea/gitea/releases/tag/v1.25.4

Url: https://github.com/go-gitea/gitea/security/advisories/GHSA-jrpc-w85r-hgqx

Url: https://github.com/go-gitea/gitea/pull/36361

Url: https://nvd.nist.gov/vuln/detail/CVE-2026-20904

Url: https://github.com/go-gitea/gitea/commit/ed5720af2ac94d74f822721c05b42b6148ff9c22

Url: https://blog.gitea.com/release-of-1.25.4/

Url: https://github.com/advisories/GHSA-qqgv-v353-cv8p

Url: https://github.com/go-gitea/gitea/pull/36346

Url: https://blog.gitea.com/release-of-1.25.4

Url: https://github.com/go-gitea/gitea

Url: https://www.mend.io/vulnerability-database/CVE-2026-20904

Severity Score

6.5

Weakness Type (CWE)

Improper Access Control

CWE-284

Authorization Bypass Through User-Controlled Key

CWE-639

Top Fix

Upgrade Version

Upgrade to version github.com/go-gitea/gitea - v1.25.4;code.gitea.io/gitea - v1.25.4;https://github.com/go-gitea/gitea.git - v1.25.4

Learn More

CVSS v3.1

Base Score:	6.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	HIGH
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2026-20904

Good to know:

Date: January 22, 2026

Severity Score

Related Resources (11)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?