Gitea, Authorization Bypass in Scheduled Auto-Merge Cancellation (Moderate)

Listen to this Post

The vulnerability resides in the HTTP endpoint responsible for canceling scheduled auto-merges for pull requests. When a user sends a request to this endpoint (e.g., POST /repo/{owner}/{repo}/pulls/{index}/auto_merge), the application fails to perform a sufficient authorization check. It validates that the authenticated user has at least read access to the repository but does not verify if the user is the same individual who originally scheduled the auto-merge or possesses explicit merge/write permissions. The flawed logic incorrectly assumes that the ability to view a pull request is equivalent to having the right to modify its automated merge state. This allows an attacker with read-only access to craft a forged HTTP request targeting the auto-merge ID of a pull request scheduled by another user (e.g., a maintainer), leading to its unauthorized cancellation and potential disruption of the integration workflow.
Platform: Gitea
Version: Not specified
Vulnerability: Authorization Bypass
Severity: Moderate
date: Jan 23, 2026

Prediction: Patch by Jan 30, 2026

What Undercode Say:

`curl -X POST -H “Authorization: token $READ_TOKEN” https://gitea.example.com/api/v1/repos/owner/repo/pulls/42/auto_merge`
` Check for missing authorization middleware in the route handler.<h2 style="color: blue;"> grep -r “AutoMerge” /app/gitea/routers/api/v1/repo/pull.go`

How Exploit:

Craft POST request to cancel auto-merge. Requires valid user token with repository read access. Target the auto-merge ID of a privileged user’s pull request.

Protection from this CVE:

Apply vendor patch. Implement proper authorization checks verifying user identity or merge permissions before canceling scheduled actions.

Impact:

Unauthorized cancellation of scheduled pull request merges, disrupting development workflows and potentially causing integration delays.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top