CVE-2026-20750: gitea: Gitea Organization Projects Cross-Organization Authorization Bypass via Project ID (IDOR)

Severity: Critical

CVSS Score: 9.1

Gitea does not properly validate project ownership in organization project operations. A user with project write access in one organization may be able to modify projects belonging to a different organization.