Description
Gitea versions before 1.25.5 have insufficient permission checks for updating or rebasing pull request branches.
Published: 2026-07-03
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Gitea versions released before 1.25.5 suffer from insufficient permission checks when a user updates or rebases a pull‑request branch. The description implies that the flaw allows a user who is not supposed to alter the branch’s contents to succeed in doing so, opening a path for the introduction of malicious changes before a pull request is merged. Based on the nature of the vulnerability, it is inferred that such unauthorized changes could compromise code integrity, potentially affecting subsequent build or deployment pipelines, but the description does not explicitly mention code‑review or build impacts.

Affected Systems

The incorrect authorization logic applies to Gitea Open Source Git Server installations with a version older than 1.25.5. Any deployment running a prior release is susceptible because the flaw exists in the core logic that governs pull‑request branch updates.

Risk and Exploitability

The EPSS score is less than 1% and the vulnerability is not listed in CISA’s KEV catalog; the CVE data does not provide evidence of public exploitation. The flaw can be exploited by any authenticated user with pull‑request interaction rights who should not have permission to rebase or replace a pull‑request branch. This condition is inferred from the described permission model. Consequently, the risk remains significant, especially in environments with permissive contributor access or loosely controlled RBAC.

Generated by OpenCVE AI on July 6, 2026 at 09:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Gitea release 1.25.5 or later to restore proper authorization checks for pull‑request branch operations.
  • If upgrading is not immediately possible, adjust the role‑based permissions to revoke the ability to rebase or replace pull‑request branches from regular contributors, leaving it for administrators only.
  • Ensure the Gitea instance’s RBAC configuration enforces that only users granted explicit rebasing or branch‑replacement privileges can perform those actions, and verify that no broader privilege escalation is enabled.

Generated by OpenCVE AI on July 6, 2026 at 09:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 03 Jul 2026 20:45:00 +0000

Type Values Removed Values Added
Description Gitea versions before 1.25.5 have insufficient permission checks for updating or rebasing pull request branches.
Title Gitea pull-request branch updates use insufficient permission checks
Weaknesses CWE-284
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Gitea

Published:

Updated: 2026-07-03T20:19:31.693Z

Reserved: 2026-02-22T15:13:33.685Z

Link: CVE-2026-24690

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-06T04:15:09Z

Weaknesses