CVE Field Guide
About Us
CVE-2026-20909
PUBLISHED
Gitea tracked-time list endpoint has insufficient permission checks
Assigner:
Gitea
Reserved:
22.02.2026
Published:
03.07.2026
Updated:
03.07.2026
Gitea versions before 1.25.5 have insufficient permission checks when listing tracked time entries.
Product Status
Vendor
Gitea
Product
Gitea Open Source Git Server
Versions
Default:
unaffected
affected from 0 to 1.25.5 (excl.)
References
GitHub Pull Request #36662
GitHub Pull Request #36744
Gitea v1.25.5 Release
Gitea v1.25.5 Release Blog Post
Problem Types
CWE-284
CWE