Primary

Context

Gitea Auto-Merge Cancellation Authorization Vulnerability

Vulnerability

Patched

An authorization vulnerability has been identified in Gitea's web interface, specifically in versions prior to 1.25.4. The issue arises because the application does not properly verify user permissions when canceling scheduled auto-merges. As a result, a user with read access to pull requests may be able to cancel auto-merges that were scheduled by other users.

Impact

Exploitation of this vulnerability could lead to unauthorized cancellation of scheduled auto-merges, potentially disrupting the workflow and collaboration process in projects that rely on this feature.

Reproduction

To reproduce this vulnerability, a user with read access to pull requests can navigate to the pull request section of a repository. From there, they can cancel auto-merges that have been scheduled by other users, without the necessary authorization to do so.

Remediation

Users can upgrade to Gitea version 1.25.4 or later, where this vulnerability has been addressed.

Added: Jan 22, 2026, 10:21 PM

Updated: Jan 22, 2026, 10:21 PM

Vulnerability Rating

Custom Algorithm

spread

7.6

impact

0.6

exploitability

5.3

remediation

7.7

relevance

2.3

threat

1.6

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

7.6

impact

0.6

exploitability

5.3

remediation

7.7

relevance

2.3

threat

1.6

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Gitea Auto-Merge Cancellation Authorization Vulnerability

Vulnerability

Impact

Reproduction

Remediation

Affected Products

Gitea

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating