CVE-2026-20750: Improper Project Ownership Validation in Gitea

This critical-severity vulnerability (CVSS 9.1) in Gitea allows improper project ownership validation during organization project operations. An attacker with existing user privileges could exploit this to illegally claim ownership of projects, leading to unauthorized code manipulation or data theft.

Think of a shared online whiteboard where different teams draw their projects, and each drawing has a clearly assigned owner. Due to a flaw, someone can simply erase an existing owner's name and write their own, making it look like they created that drawing, even if they didn't. This vulnerability means Gitea's system for checking who truly owns a project within an organization is flawed. An attacker can leverage this oversight to falsely assert ownership over projects they are not authorized to control. This allows them to modify, delete, or steal sensitive code and data without the actual owner's permission.