CVE-2026-25782 PUBLISHED

Gitea tracked-time deletion can target entries from another issue

Assigner: Gitea
Reserved: 22.02.2026 Published: 03.07.2026 Updated: 03.07.2026

Gitea versions before 1.25.5 look up tracked-time entries by time ID without scoping the lookup to the issue in the request URL, allowing deletion attempts to target entries from another issue.

Product Status

Vendor Gitea
Product Gitea Open Source Git Server
Versions Default: unaffected
  • affected from 0 to 1.25.5 (excl.)

Credits

  • CsEnox reporter

References

Problem Types

  • Authorization Bypass Through User-Controlled Key CWE