VDB
CISA-2026-20888
CISA-2026-20888
PUBLISHED
CVSS 4.3 MEDIUM
Reported by Gitea · Published January 22, 2026
Gitea does not properly verify authorization when canceling scheduled auto-merges via the web interface. A user with read access to pull requests may be able to cancel auto-merges scheduled by other users.
Risk Scores
CVSS 3.1
4.3
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Gitea | Gitea Open Source Git Server | 0 |
| Gitea | Gitea Open Source Git Server | 0, 0 |
Timeline
- Jan 22, 2026 CVE Published
- Jan 23, 2026 CVE Updated
References
- GitHub Security Advisory vendor-advisory
- GitHub Pull Request #36341 patch
- GitHub Pull Request #36356 patch
- Gitea v1.25.4 Release release-notes
- Gitea v1.25.4 Release Blog Post release-notes