Unscheduled Disruption: Killing Gitea Auto-Merges via logic Flaws
Vulnerability ID: CVE-2026-20888
CVSS Score: 4.3
Published: 2026-01-23
A logic flaw in Gitea's access control allows any user with read access to a repository to cancel scheduled auto-merges, effectively enabling low-privileged users to disrupt CI/CD workflows and release pipelines.
TL;DR
In Gitea versions up to 1.25.3, the 'Scheduled Auto-Merge' feature lacked proper authorization checks on its cancellation endpoints. This means any user with read access (even a lowly intern or a random public user) could cancel a maintainer's scheduled merge, causing silent delays in deployment. Fixed in v1.25.4 by enforcing strict permission checks.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-862
- Attack Vector: Network
- CVSS: 4.3 (Medium)
- Impact: Integrity (Low)
- Privileges: Low (Read Access)
- Exploit Status: PoC Available
Affected Systems
- Gitea < 1.25.4
-
Gitea: <= 1.25.3 (Fixed in:
1.25.4)
Exploit Details
- Internal Research: The logic flaw is evident in the patch diff provided in the official repository.
Mitigation Strategies
- Upgrade Gitea to version 1.25.4 or later.
- Restrict repository visibility to trusted users until patched.
- Monitor audit logs for unexpected auto-merge cancellations.
Remediation Steps:
- Backup your Gitea configuration and database.
- Download the 1.25.4 binary or pull the latest docker image (
gitea/gitea:1.25.4). - Replace the binary/container and restart the service.
- Verify the fix by attempting to cancel an auto-merge as a low-privileged user.
References
Read the full report for CVE-2026-20888 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)