CVE-2026-24690
Gitea · Gitea Open Source Git Server
Gitea versions before 1.25.5 contain an access control vulnerability that allows unauthorized updating or rebasing of pull request branches.
Executive summary
A high-severity access control vulnerability in Gitea versions before 1.25.5 permits unauthorized modification of pull request branches, threatening code integrity.
Vulnerability
This vulnerability (CWE-284) involves insufficient permission checks when updating or rebasing pull request branches. Attackers can leverage this flaw to modify pull requests in ways that should be restricted, potentially leading to the injection of unauthorized code changes into protected branches.
Business impact
The CVSS score of 7.5 (High) highlights the risk to the integrity of the development process. If an attacker can manipulate pull requests, they may bypass code review processes or introduce malicious commits, leading to supply chain compromises or unauthorized code execution within the organization's projects. The ability to alter the state of pull requests directly impacts the trust and reliability of the code base.
Remediation
Immediate Action: Upgrade your Gitea instance to version 1.25.5 or later to resolve the permission check deficiencies.
Proactive Monitoring: Monitor Git server logs for suspicious rebase or update activity on pull requests, particularly those originating from unauthorized users.
Compensating Controls: Enforce strict branch protection rules and require signed commits to ensure that any unauthorized changes to pull requests can be detected and reverted.
Exploitation status
Public Exploit Available: false
Analyst recommendation
Maintaining the integrity of the source code is paramount. It is strongly recommended to update to version 1.25.5 immediately to address the insufficient access controls and prevent unauthorized modifications to pull requests, which could otherwise jeopardize the security of the entire software development lifecycle.