VDB

CISA-2026-20888

CISA-2026-20888 PUBLISHED CVSS 4.3 MEDIUM

Reported by Gitea · Published January 22, 2026

Gitea does not properly verify authorization when canceling scheduled auto-merges via the web interface. A user with read access to pull requests may be able to cancel auto-merges scheduled by other users.

Risk Scores

CVSS 3.1
4.3
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Affected Products

VendorProductVersions
GiteaGitea Open Source Git Server0
GiteaGitea Open Source Git Server0, 0

Timeline

  • Jan 22, 2026 CVE Published
  • Jan 23, 2026 CVE Updated
Open in Interactive Console →
$ Console Community · 100/wk Open console ›