CVE-2026-20888

CVSS v4.0

5.3

Medium

Vector

AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions Gitea (affected versions not specified)

Description Gitea does not properly verify authorization when canceling scheduled auto-merges through the web interface. A user with read access to pull requests may be able to cancel auto-merges scheduled by other users. This impacts the authorization process for canceling scheduled auto-merges.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Improper Access Control

Missing Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-284CWE-862

Related Identifiers

BIT-GITEA-2026-20888

CVE-2026-20888

GHSA-9CGQ-WP42-4RPQ

GHSA-CCQ9-C5HV-CF64

GO-2026-4366

SUSE-SU-2026:0403-1

Affected Products

Gitea

Red Os

CVE-2026-20888

Weakness Enumeration

Related Identifiers

Affected Products

References · 96