CVE-2026-20888 — Improper Access Control in Gitea

CWE-284 — Improper Access Control CWE-862 — Missing Authorization CWE-425 — Forced Browsing6 documents5 sources

Severity

4.3MEDIUMNVD

EPSS

0.0%

top 98.03%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Code.gitea.io Gitea Github.com Go-gitea Gitea Gitea +1 more

Timeline

PublishedJan 22

Latest updateFeb 2

Description

Gitea does not properly verify authorization when canceling scheduled auto-merges via the web interface. A user with read access to pull requests may be able to cancel auto-merges scheduled by other users.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages4 packages

▶NVDgitea/gitea< 1.25.4

▶Gocode.gitea.io/gitea< 1.25.4

▶Gogithub.com/go-gitea_gitea< 1.25.4

▶CVEListV5gitea/gitea_open_source_git_server1.25.3

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

Gitea does not properly verify authorization when canceling scheduled auto-merges via the web interface in code.gitea.io/gitea↗2026-02-02

▶

GHSA

Gitea does not properly verify authorization when canceling scheduled auto-merges via the web interface↗2026-01-23

▶

OSV

Gitea does not properly verify authorization when canceling scheduled auto-merges via the web interface↗2026-01-23

▶

📋Vendor Advisories

Red Hat

gitea: Gitea Pull Requests Auto-Merge: Read-Only Users Can Cancel Scheduled Auto-Merge via Web Endpoint (Authorization Bypass)↗2026-01-22

▶

🕵️Threat Intelligence

Wiz

CVE-2026-20888 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶