Gitea does not correctly enforce authorization checks when a user accesses the web interface endpoint used to cancel scheduled auto‑merges. As a result, any account that has read access to pull requests can invoke this endpoint and cancel auto‑merge jobs that were scheduled by other users. This flaw allows a low‑privileged user to interfere with the repository’s merge workflow, potentially delaying or preventing the integration of code changes. The vulnerability is an example of improper authorization (CWE‑284) and authorization bypass (CWE‑862).

Vendors affected include the Gitea open source Git server. The CVE does not specify which releases are vulnerable, but the advisory references the 1.25.4 release where the issue was addressed. Consequently, any installation of Gitea that predates that patch, or that has not been updated to a fixed version, is susceptible.

The CVSS score of 4.3 indicates a moderate severity, and the EPSS score of less than 1% suggests a low probability of exploitation at the time of analysis. The flaw is not listed in the CISA KEV catalog, so no known active exploitation is documented. The attack can be performed over the web from any browser session that has PR read rights, without requiring elevated permissions or additional authentication steps beyond normal access to pull requests. Because the vulnerability is limited to account permissions rather than system‑wide compromise, the potential impact is confined to the ability to cancel merges, though this could disrupt automated pipelines and delay code delivery.