CVE-2026-24690

Gitea · Gitea Open Source Git Server

Gitea versions before 1.25.5 contain an access control vulnerability that allows unauthorized updating or rebasing of pull request branches.

Executive summary

A high-severity access control vulnerability in Gitea versions before 1.25.5 permits unauthorized modification of pull request branches, threatening code integrity.

Vulnerability

This vulnerability (CWE-284) involves insufficient permission checks when updating or rebasing pull request branches. Attackers can leverage this flaw to modify pull requests in ways that should be restricted, potentially leading to the injection of unauthorized code changes into protected branches.

Business impact

The CVSS score of 7.5 (High) highlights the risk to the integrity of the development process. If an attacker can manipulate pull requests, they may bypass code review processes or introduce malicious commits, leading to supply chain compromises or unauthorized code execution within the organization's projects. The ability to alter the state of pull requests directly impacts the trust and reliability of the code base.

Remediation

Immediate Action: Upgrade your Gitea instance to version 1.25.5 or later to resolve the permission check deficiencies.

Proactive Monitoring: Monitor Git server logs for suspicious rebase or update activity on pull requests, particularly those originating from unauthorized users.

Compensating Controls: Enforce strict branch protection rules and require signed commits to ensure that any unauthorized changes to pull requests can be detected and reverted.

Exploitation status

Public Exploit Available: false

Analyst recommendation

Maintaining the integrity of the source code is paramount. It is strongly recommended to update to version 1.25.5 immediately to address the insufficient access controls and prevent unauthorized modifications to pull requests, which could otherwise jeopardize the security of the entire software development lifecycle.