{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-20888", "assignerOrgId": "88ee5874-cf24-4952-aea0-31affedb7ff2", "state": "PUBLISHED", "assignerShortName": "Gitea", "dateReserved": "2026-01-08T23:02:37.542Z", "datePublished": "2026-01-22T22:01:51.214Z", "dateUpdated": "2026-01-23T21:54:14.856Z"}, "containers": {"cna": {"affected": [{"vendor": "Gitea", "product": "Gitea Open Source Git Server", "versions": [{"version": "0", "lessThanOrEqual": "1.25.3", "status": "affected", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Gitea does not properly verify authorization when canceling scheduled auto-merges via the web interface. A user with read access to pull requests may be able to cancel auto-merges scheduled by other users."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-284", "description": "CWE-284: Improper Access Control", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-862", "description": "CWE-862: Missing Authorization", "lang": "en", "type": "CWE"}]}], "references": [{"url": "https://github.com/go-gitea/gitea/security/advisories/GHSA-ccq9-c5hv-cf64", "name": "GitHub Security Advisory", "tags": ["vendor-advisory"]}, {"url": "https://github.com/go-gitea/gitea/pull/36341", "name": "GitHub Pull Request #36341", "tags": ["patch"]}, {"url": "https://github.com/go-gitea/gitea/pull/36356", "name": "GitHub Pull Request #36356", "tags": ["patch"]}, {"url": "https://github.com/go-gitea/gitea/releases/tag/v1.25.4", "name": "Gitea v1.25.4 Release", "tags": ["release-notes"]}, {"url": "https://blog.gitea.com/release-of-1.25.4/", "name": "Gitea v1.25.4 Release Blog Post", "tags": ["release-notes"]}], "credits": [{"lang": "en", "value": "spingARbor", "type": "reporter"}], "title": "Gitea Pull Requests Auto-Merge: Read-Only Users Can Cancel Scheduled Auto-Merge via Web Endpoint (Authorization Bypass)", "providerMetadata": {"orgId": "88ee5874-cf24-4952-aea0-31affedb7ff2", "shortName": "Gitea", "dateUpdated": "2026-01-22T22:01:51.214Z"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-01-23T21:09:52.298236Z", "id": "CVE-2026-20888", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-23T21:54:14.856Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-20888", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-23T21:09:52.298236Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-23T21:09:48.392Z"}}], "cna": {"title": "Gitea Pull Requests Auto-Merge: Read-Only Users Can Cancel Scheduled Auto-Merge via Web Endpoint (Authorization Bypass)", "credits": [{"lang": "en", "type": "reporter", "value": "spingARbor"}], "affected": [{"vendor": "Gitea", "product": "Gitea Open Source Git Server", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.25.3"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/go-gitea/gitea/security/advisories/GHSA-ccq9-c5hv-cf64", "name": "GitHub Security Advisory", "tags": ["vendor-advisory"]}, {"url": "https://github.com/go-gitea/gitea/pull/36341", "name": "GitHub Pull Request #36341", "tags": ["patch"]}, {"url": "https://github.com/go-gitea/gitea/pull/36356", "name": "GitHub Pull Request #36356", "tags": ["patch"]}, {"url": "https://github.com/go-gitea/gitea/releases/tag/v1.25.4", "name": "Gitea v1.25.4 Release", "tags": ["release-notes"]}, {"url": "https://blog.gitea.com/release-of-1.25.4/", "name": "Gitea v1.25.4 Release Blog Post", "tags": ["release-notes"]}], "descriptions": [{"lang": "en", "value": "Gitea does not properly verify authorization when canceling scheduled auto-merges via the web interface. A user with read access to pull requests may be able to cancel auto-merges scheduled by other users."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284: Improper Access Control"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862: Missing Authorization"}]}], "providerMetadata": {"orgId": "88ee5874-cf24-4952-aea0-31affedb7ff2", "shortName": "Gitea", "dateUpdated": "2026-01-22T22:01:51.214Z"}}}, "cveMetadata": {"cveId": "CVE-2026-20888", "state": "PUBLISHED", "dateUpdated": "2026-01-23T21:54:14.856Z", "dateReserved": "2026-01-08T23:02:37.542Z", "assignerOrgId": "88ee5874-cf24-4952-aea0-31affedb7ff2", "datePublished": "2026-01-22T22:01:51.214Z", "assignerShortName": "Gitea"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:gitea:gitea:*:*:*:*:*:-:*:*", "matchCriteriaId": "DFCB7D74-331D-4582-AB41-113A25BE8FAA", "versionEndExcluding": "1.25.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Gitea does not properly verify authorization when canceling scheduled auto-merges via the web interface. A user with read access to pull requests may be able to cancel auto-merges scheduled by other users."}], "id": "CVE-2026-20888", "lastModified": "2026-01-29T22:00:58.803", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-01-22T22:16:17.890", "references": [{"source": "88ee5874-cf24-4952-aea0-31affedb7ff2", "tags": ["Release Notes"], "url": "https://blog.gitea.com/release-of-1.25.4/"}, {"source": "88ee5874-cf24-4952-aea0-31affedb7ff2", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/go-gitea/gitea/pull/36341"}, {"source": "88ee5874-cf24-4952-aea0-31affedb7ff2", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/go-gitea/gitea/pull/36356"}, {"source": "88ee5874-cf24-4952-aea0-31affedb7ff2", "tags": ["Release Notes"], "url": "https://github.com/go-gitea/gitea/releases/tag/v1.25.4"}, {"source": "88ee5874-cf24-4952-aea0-31affedb7ff2", "tags": ["Broken Link"], "url": "https://github.com/go-gitea/gitea/security/advisories/GHSA-ccq9-c5hv-cf64"}], "sourceIdentifier": "88ee5874-cf24-4952-aea0-31affedb7ff2", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}, {"lang": "en", "value": "CWE-862"}], "source": "88ee5874-cf24-4952-aea0-31affedb7ff2", "type": "Secondary"}]}

{"bugzilla": {"description": "gitea: Gitea Pull Requests Auto-Merge: Read-Only Users Can Cancel Scheduled Auto-Merge via Web Endpoint (Authorization Bypass)", "id": "2432211", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2432211"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "status": "draft"}, "cwe": "(CWE-284|CWE-862)", "details": ["Gitea does not properly verify authorization when canceling scheduled auto-merges via the web interface. A user with read access to pull requests may be able to cancel auto-merges scheduled by other users."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-20888", "package_state": [{"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Not affected", "package_name": "openshift-pipelines/pipelines-opc-rhel9", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Not affected", "package_name": "openshift-pipelines/pipelines-pipelines-as-code-cli-rhel8", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Not affected", "package_name": "openshift-pipelines/pipelines-pipelines-as-code-cli-rhel9", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Not affected", "package_name": "openshift-pipelines/pipelines-pipelines-as-code-controller-rhel8", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Not affected", "package_name": "openshift-pipelines/pipelines-pipelines-as-code-controller-rhel9", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Not affected", "package_name": "openshift-pipelines/pipelines-pipelines-as-code-watcher-rhel8", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Not affected", "package_name": "openshift-pipelines/pipelines-pipelines-as-code-watcher-rhel9", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Not affected", "package_name": "openshift-pipelines/pipelines-pipelines-as-code-webhook-rhel8", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Not affected", "package_name": "openshift-pipelines/pipelines-pipelines-as-code-webhook-rhel9", "product_name": "OpenShift Pipelines"}], "public_date": "2026-01-22T22:01:51Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-20888\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-20888\nhttps://blog.gitea.com/release-of-1.25.4/\nhttps://github.com/go-gitea/gitea/pull/36341\nhttps://github.com/go-gitea/gitea/pull/36356\nhttps://github.com/go-gitea/gitea/releases/tag/v1.25.4\nhttps://github.com/go-gitea/gitea/security/advisories/GHSA-ccq9-c5hv-cf64"], "threat_severity": "Moderate"}

{"analysis": {"en": {"generated_at": "2026-04-18T03:32:08.333402+00:00", "value": {"mitigation_remediation": ["Upgrade to Gitea version 1.25.4 or later to receive the fixed authorization check for the cancel\u2011auto\u2011merge endpoint.", "If an upgrade cannot be performed immediately, disable the auto\u2011merge feature or restrict the cancel\u2011auto\u2011merge endpoint to users with at least write access to the repository.", "Monitor repository logs for unexpected cancellation events and review user permissions to ensure read\u2011only users do not possess broader privileges than necessary."], "summary": {"action": "Patch Immediately", "impact": "Authorization Bypass (Read-Only Users Can Cancel Scheduled Auto\u2011Merge)"}, "threat_synthesis": {"affected_systems": "Vendors affected include the Gitea open source Git server. The CVE does not specify which releases are vulnerable, but the advisory references the 1.25.4 release where the issue was addressed. Consequently, any installation of Gitea that predates that patch, or that has not been updated to a fixed version, is susceptible.", "description_and_impact": "Gitea does not correctly enforce authorization checks when a user accesses the web interface endpoint used to cancel scheduled auto\u2011merges. As a result, any account that has read access to pull requests can invoke this endpoint and cancel auto\u2011merge jobs that were scheduled by other users. This flaw allows a low\u2011privileged user to interfere with the repository\u2019s merge workflow, potentially delaying or preventing the integration of code changes. The vulnerability is an example of improper authorization (CWE\u2011284) and authorization bypass (CWE\u2011862).", "risk_and_exploitability": "The CVSS score of 4.3 indicates a moderate severity, and the EPSS score of less than 1% suggests a low probability of exploitation at the time of analysis. The flaw is not listed in the CISA KEV catalog, so no known active exploitation is documented. The attack can be performed over the web from any browser session that has PR read rights, without requiring elevated permissions or additional authentication steps beyond normal access to pull requests. Because the vulnerability is limited to account permissions rather than system\u2011wide compromise, the potential impact is confined to the ability to cancel merges, though this could disrupt automated pipelines and delay code delivery."}}}}, "created": "2026-01-23T10:27:12.572359+00:00", "updated": "2026-04-18T03:45:21.069402+00:00", "vendors": ["gitea", "gitea$PRODUCT$gitea"]}