CVE-2026-20888 – This vulnerability in Gitea allows users with r... (How to Fix)

Q: What is the severity of CVE-2026-20888?

CVE-2026-20888 has a CVSS score of 4.3 (MEDIUM). This vulnerability in Gitea allows users with read access to pull requests to cancel scheduled auto-merges created by other users. It's an authorization bypass that affects all Gitea instances running vulnerable versions. Any organization using Gitea for code collaboration is potentially affected.

📋 TL;DR

This vulnerability in Gitea allows users with read access to pull requests to cancel scheduled auto-merges created by other users. It's an authorization bypass that affects all Gitea instances running vulnerable versions. Any organization using Gitea for code collaboration is potentially affected.

💻 Affected Systems

Products:

Gitea

Versions: Versions before 1.25.4

Operating Systems: All platforms running Gitea

Default Config Vulnerable: ⚠️ Yes

Notes: All Gitea installations with pull request functionality enabled are vulnerable. The vulnerability exists in the web interface authorization logic.

📦 What is this software?

Gitea by Gitea

View all CVEs affecting Gitea →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Malicious actors could disrupt development workflows by canceling critical auto-merges, potentially delaying releases or causing merge conflicts that require manual intervention.

🟠

Likely Case

Accidental or intentional disruption of scheduled merges by users with read-only access, causing minor workflow interruptions and requiring re-scheduling of merges.

🟢

If Mitigated

With proper access controls and monitoring, impact is limited to temporary workflow disruption that can be quickly detected and corrected.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires at least read access to pull requests. The vulnerability is in the web interface authorization check.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.25.4

Vendor Advisory: https://github.com/go-gitea/gitea/security/advisories/GHSA-ccq9-c5hv-cf64

Restart Required: Yes

Instructions:

1. Backup your Gitea instance and database. 2. Download Gitea 1.25.4 or later from official releases. 3. Stop the Gitea service. 4. Replace the Gitea binary with the new version. 5. Restart the Gitea service. 6. Verify the upgrade was successful.

🔧 Temporary Workarounds

Disable auto-merge functionality

all

Temporarily disable scheduled auto-merges until patching can be completed

# This requires modifying repository settings or disabling the feature at the instance level

Restrict pull request access

all

Limit read access to pull requests to trusted users only

# Configure repository permissions to restrict who can view pull requests

🧯 If You Can't Patch

Implement strict access controls to limit who has read access to pull requests
Monitor auto-merge cancellation logs and set up alerts for suspicious activity

🔍 How to Verify

Check if Vulnerable:

Check if your Gitea version is below 1.25.4. The vulnerability affects all versions before this patch.

Check Version:

./gitea --version

Verify Fix Applied:

After upgrading to 1.25.4 or later, verify that users with only read access cannot cancel scheduled auto-merges created by other users.

📡 Detection & Monitoring

Log Indicators:

Log entries showing auto-merge cancellations by users who only have read permissions
Unexpected auto-merge cancellation events

Network Indicators:

HTTP POST requests to auto-merge cancellation endpoints from unauthorized users

SIEM Query:

source="gitea.log" AND "cancel auto-merge" AND user_permission="read"

📊 Metadata

CVE ID: CVE-2026-20888

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-284

EPSS Score: 0.03% exploit probability (8th percentile)

Published: January 22, 2026

Last Updated: January 29, 2026

🔗 References

https://blog.gitea.com/release-of-1.25.4/ Release Notes
https://github.com/go-gitea/gitea/pull/36341 Issue Tracking,Patch
https://github.com/go-gitea/gitea/pull/36356 Issue Tracking,Patch
https://github.com/go-gitea/gitea/releases/tag/v1.25.4 Release Notes
https://github.com/go-gitea/gitea/security/advisories/GHSA-ccq9-c5hv-cf64 Broken Link

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-20888, you might also want to check these: