CVE-2026-24451
Low risk· EPSS 10%Exploitation Probability (EPSS)
Low risk10th percentile — higher than 10% of all known CVEs
Summary
A vulnerability in Gitea 1.26.2 allows fork synchronization to continue after a parent repository changes from public to private, exposing data to unauthorized forks.
Risk Assessment
The organization risks data leakage when a repository is set to private but its fork continues to synchronize, revealing confidential information to unauthorized users.
Recommendation
Immediately update Gitea to a patched version and review all forks of repositories that changed to private to ensure synchronization has been stopped.
Original NVD description (English source)
Gitea 1.26.2 allows fork synchronization to continue after a parent repository changes from public to private, exposing data to a fork that should no longer be authorized.

