Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2026-20888

Опубликовано: 22 янв. 2026
Источник: redhat
CVSS3: 4.3
EPSS Низкий

Описание

Gitea does not properly verify authorization when canceling scheduled auto-merges via the web interface. A user with read access to pull requests may be able to cancel auto-merges scheduled by other users.

An access control flaw has been discovered in Gitea. Gitea does not properly verify authorization when canceling scheduled auto-merges via the web interface. A user with read access to pull requests may be able to cancel auto-merges scheduled by other users.

Меры по смягчению последствий

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
OpenShift Pipelinesopenshift-pipelines/pipelines-opc-rhel9Not affected
OpenShift Pipelinesopenshift-pipelines/pipelines-pipelines-as-code-cli-rhel8Not affected
OpenShift Pipelinesopenshift-pipelines/pipelines-pipelines-as-code-cli-rhel9Not affected
OpenShift Pipelinesopenshift-pipelines/pipelines-pipelines-as-code-controller-rhel8Not affected
OpenShift Pipelinesopenshift-pipelines/pipelines-pipelines-as-code-controller-rhel9Not affected
OpenShift Pipelinesopenshift-pipelines/pipelines-pipelines-as-code-watcher-rhel8Not affected
OpenShift Pipelinesopenshift-pipelines/pipelines-pipelines-as-code-watcher-rhel9Not affected
OpenShift Pipelinesopenshift-pipelines/pipelines-pipelines-as-code-webhook-rhel8Not affected
OpenShift Pipelinesopenshift-pipelines/pipelines-pipelines-as-code-webhook-rhel9Not affected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-425
https://bugzilla.redhat.com/show_bug.cgi?id=2432211gitea: Gitea Pull Requests Auto-Merge: Read-Only Users Can Cancel Scheduled Auto-Merge via Web Endpoint (Authorization Bypass)

EPSS

Процентиль: 1%
0.00011
Низкий

4.3 Medium

CVSS3

Связанные уязвимости

nvd логотип

CVE-2026-20888

CVSS3: 4.3
nvd
2 месяца назад

Gitea does not properly verify authorization when canceling scheduled auto-merges via the web interface. A user with read access to pull requests may be able to cancel auto-merges scheduled by other users.

debian логотип

CVE-2026-20888

CVSS3: 4.3
debian
2 месяца назад

Gitea does not properly verify authorization when canceling scheduled ...

redos логотип

ROS-20260224-73-0027

CVSS3: 4.3
redos
около 1 месяца назад

Уязвимость gitea

github логотип

GHSA-9cgq-wp42-4rpq

github
2 месяца назад

Gitea does not properly verify authorization when canceling scheduled auto-merges via the web interface

EPSS

Процентиль: 1%
0.00011
Низкий

4.3 Medium

CVSS3