Forgejo Security Release 1.20.6-0

Forgejo v1.20.6-0 was released 28 November 2023.

This release contains a security fix related to permissions enforcement of API endpoints.

We strongly recommend that all Forgejo installations are upgraded to the latest version as soon as possible.

API and web endpoint vulnerable to manually crafted identifiers

See the Forgejo v1.20.5-1 blog post for a detailed explanation on this kind of vulnerability.

  • get the public key of a user
  • get a release or a release attachment
  • get OAuth2 applications (except for the secret)

Fixes were written for the vulnerable endpoints but not thoroughly tested.

Reminder of responsible disclosure

Forgejo v1.20.5-1 was released 25 November 2023 after a 30-day embargo that gave enough time to Gogs, Gitea and Forgejo to prepare and publish a patch release on 25 November 2025.

The complete list of identified vulnerabilities was communicated by the Forgejo security team to Gitea on 5 November 2023 and the final version of the patch fixing all of them was sent on 24 November 2023, via encrypted email. In addition, two PRs (for v1.20 and v1.21) were sent to Gitea on 25 November 2023 prior to the announcement of the Forgejo release to help fast track a stable point release.

On 25 November 2023, shortly after the release, additional vulnerabilities were revealed publicly in contradiction with the Gitea and Forgejo security policies as well as the general principles of responsible disclosure.

This unfortunate incident forced the immediate preparation of this Forgejo patch release. With no advance warning it only allowed for limited testing and there is a non negligible risk of a regression.

In such a situation the Forgejo admins and users are suffering the consequences, either because they are left unecessarily exposed to publicly known vulnerabilities or because their instance may run into regressions due to insufficient preparation time and testing.

If you discover a new vulnerability, you are urged to not reveal it publicly but to send an encrypted email to security@forgejo.org so this situation does not happen again.

Contribute to Forgejo

If you have any feedback or suggestions for Forgejo, we’d love to hear from you! Open an issue on our issue tracker for feature requests or bug reports. You can also find us on the Fediverse, or drop by our Matrix space (main chat room) to say hi!