CVE Catalog
CVE-2026-20909
Low risk· EPSS 5%Exploitation Probability (EPSS)
Low risk0.16%
5th percentile — higher than 5% of all known CVEs
Summary
Gitea versions before 1.25.5 have insufficient permission checks when listing tracked time entries. An attacker may gain access to time data of other users without proper authorization.
Risk Assessment
The risk involves potential leakage of sensitive user time tracking information, which could compromise data confidentiality and organizational security policies.
Recommendation
It is recommended to immediately upgrade Gitea to version 1.25.5 or later, which includes a fix for this vulnerability.
Original NVD description (English source)
Gitea versions before 1.25.5 have insufficient permission checks when listing tracked time entries.

