CVE-2025-68940
published 2025-12-26CVE-2025-68940: In Gitea before 1.22.5, branch deletion permissions are not adequately enforced after merging a pull request.
PriorityP426medium5.3CVSS 3.1
AVNACLPRNUINSUCNILAN
EPSS
0.25%
16.3th percentile
In Gitea before 1.22.5, branch deletion permissions are not adequately enforced after merging a pull request.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| code.gitea.io | gitea | >= 0 < 1.22.5 | 1.22.5 |
| gitea | gitea | < 1.22.5 | 1.22.5 |
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
vendor_redhat3.1LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Gitea doesn't adequately enforce branch deletion permissions after merging a pull request. in code.gitea.io/gitea
osv·2025-12-30
CVE-2025-68940 Gitea doesn't adequately enforce branch deletion permissions after merging a pull request. in code.gitea.io/gitea
Gitea doesn't adequately enforce branch deletion permissions after merging a pull request. in code.gitea.io/gitea
Gitea doesn't adequately enforce branch deletion permissions after merging a pull request. in code.gitea.io/gitea
OSV
Gitea doesn't adequately enforce branch deletion permissions after merging a pull request.
osv·2025-12-26
CVE-2025-68940 [LOW] Gitea doesn't adequately enforce branch deletion permissions after merging a pull request.
Gitea doesn't adequately enforce branch deletion permissions after merging a pull request.
In Gitea before 1.22.5, branch deletion permissions are not adequately enforced after merging a pull request.
GHSA
Gitea doesn't adequately enforce branch deletion permissions after merging a pull request.
ghsa·2025-12-26
CVE-2025-68940 [LOW] CWE-863 Gitea doesn't adequately enforce branch deletion permissions after merging a pull request.
Gitea doesn't adequately enforce branch deletion permissions after merging a pull request.
In Gitea before 1.22.5, branch deletion permissions are not adequately enforced after merging a pull request.
Red Hat
gitea: Gitea: Unauthorized branch deletion due to inadequate permission enforcement
vendor_redhat·2025-12-26·CVSS 3.1
CVE-2025-68940 [LOW] CWE-863 gitea: Gitea: Unauthorized branch deletion due to inadequate permission enforcement
gitea: Gitea: Unauthorized branch deletion due to inadequate permission enforcement
In Gitea before 1.22.5, branch deletion permissions are not adequately enforced after merging a pull request.
A flaw was found in Gitea, a self-hosted Git service. After a pull request is merged, the system inadequately enforces branch deletion permissions. This allows an attacker with low privileges to delete branches without proper authorization, potentially leading to unauthorized changes to the repository's history and integrity.
Statement: This vulnerability is rated Low for Red Hat OpenShift Pipelines. The flaw in Gitea, integrated with OpenShift Pipelines, allows a low-privileged attacker to delete branches without proper authorization after a pull request is merged. This could compromise the inte
No detection rules found.
No public exploits indexed.
2025-12-26
Published