CVE-2026-20888
published 2026-01-22CVE-2026-20888: Gitea does not properly verify authorization when canceling scheduled auto-merges via the web interface. A user with read access to pull requests may be able…
PriorityP424medium4.3CVSS 3.1
AVNACLPRLUINSUCLINAN
EPSS
0.30%
21.9th percentile
Gitea does not properly verify authorization when canceling scheduled auto-merges via the web interface. A user with read access to pull requests may be able to cancel auto-merges scheduled by other users.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| code.gitea.io | gitea | >= 0 < 1.25.4 | 1.25.4 |
| gitea | gitea | < 1.25.4 | 1.25.4 |
| gitea | gitea_open_source_git_server | <= 1.25.3 | — |
| github.com | go-gitea_gitea | >= 0 < 1.25.4 | 1.25.4 |
CVSS provenance
nvdv3.14.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
vendor_redhat4.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
gitea: Gitea Pull Requests Auto-Merge: Read-Only Users Can Cancel Scheduled Auto-Merge via Web Endpoint (Authorization Bypass)
vendor_redhat·2026-01-22·CVSS 4.3
CVE-2026-20888 [MEDIUM] CWE-425 gitea: Gitea Pull Requests Auto-Merge: Read-Only Users Can Cancel Scheduled Auto-Merge via Web Endpoint (Authorization Bypass)
gitea: Gitea Pull Requests Auto-Merge: Read-Only Users Can Cancel Scheduled Auto-Merge via Web Endpoint (Authorization Bypass)
Gitea does not properly verify authorization when canceling scheduled auto-merges via the web interface. A user with read access to pull requests may be able to cancel auto-merges scheduled by other users.
An access control flaw has been discovered in Gitea. Gitea does not properly verify authorization when canceling scheduled auto-merges via the web interface. A user with read access to pull requests may be able to cancel auto-merges scheduled by other users.
Mitigation: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to wi
OSV
Gitea does not properly verify authorization when canceling scheduled auto-merges via the web interface in code.gitea.io/gitea
osv·2026-02-02
CVE-2026-20888 Gitea does not properly verify authorization when canceling scheduled auto-merges via the web interface in code.gitea.io/gitea
Gitea does not properly verify authorization when canceling scheduled auto-merges via the web interface in code.gitea.io/gitea
Gitea does not properly verify authorization when canceling scheduled auto-merges via the web interface in code.gitea.io/gitea
GHSA
Gitea does not properly verify authorization when canceling scheduled auto-merges via the web interface
ghsa·2026-01-23
CVE-2026-20888 [MEDIUM] CWE-284 Gitea does not properly verify authorization when canceling scheduled auto-merges via the web interface
Gitea does not properly verify authorization when canceling scheduled auto-merges via the web interface
Gitea does not properly verify authorization when canceling scheduled auto-merges via the web interface. A user with read access to pull requests may be able to cancel auto-merges scheduled by other users.
OSV
Gitea does not properly verify authorization when canceling scheduled auto-merges via the web interface
osv·2026-01-23
CVE-2026-20888 [MEDIUM] Gitea does not properly verify authorization when canceling scheduled auto-merges via the web interface
Gitea does not properly verify authorization when canceling scheduled auto-merges via the web interface
Gitea does not properly verify authorization when canceling scheduled auto-merges via the web interface. A user with read access to pull requests may be able to cancel auto-merges scheduled by other users.
No detection rules found.
No public exploits indexed.
2026-01-22
Published