Primary

Context

Gitea Branch Deletion Permission Vulnerability After Pull Request Merge

Vulnerability

Patched

A vulnerability exists in Gitea versions prior to 1.22.5, where branch deletion permissions are not properly enforced after a pull request has been merged. This oversight could potentially allow unauthorized users to delete branches that they should not have permission to remove.

Impact

Exploitation of this vulnerability could lead to unauthorized branch deletions, potentially disrupting the workflow and version control process.

Reproduction

To reproduce this vulnerability, merge a pull request in a Gitea repository version prior to 1.22.5. After merging, attempt to delete a branch. The branch deletion may be improperly authorized, allowing deletion contrary to the established permissions.

Remediation

Users can upgrade to Gitea version 1.22.5 or later, where this vulnerability has been fixed.

Added: Dec 26, 2025, 3:19 AM

Updated: Dec 26, 2025, 3:19 AM

Vulnerability Rating

Custom Algorithm

spread

7.6

impact

0.6

exploitability

5.8

remediation

7.7

relevance

1.6

threat

1.6

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

7.6

impact

0.6

exploitability

5.8

remediation

7.7

relevance

1.6

threat

1.6

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Gitea Branch Deletion Permission Vulnerability After Pull Request Merge

Vulnerability

Impact

Reproduction

Remediation

Affected Products

Gitea

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating