CVE-2026-20888: Gitea does not properly verify authorization when canceling scheduled auto-merges via the web interface

January 23, 2026

Gitea does not properly verify authorization when canceling scheduled auto-merges via the web interface. A user with read access to pull requests may be able to cancel auto-merges scheduled by other users.

References

blog.gitea.com/release-of-1.25.4
github.com/advisories/GHSA-9cgq-wp42-4rpq
github.com/go-gitea/gitea
github.com/go-gitea/gitea/pull/36341
github.com/go-gitea/gitea/pull/36356
github.com/go-gitea/gitea/releases/tag/v1.25.4
nvd.nist.gov/vuln/detail/CVE-2026-20888

Code Behaviors & Features

Detect and mitigate CVE-2026-20888 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →