Private repo can be cloned and push via URL without authorization

I have some private repos. But i discovered that anyone can CLONE and PUSH my private repo by the URL without any authorization.
Do i miss some security options or this is a bug?

Sounds more like you missed a configuration option. We’ve been using private repo’s for years and don’t have this problem. You need to check your configuration.

Or perhaps you are using Git on Windows which cache’s the auth credentials?

Which configuration will cause this? I test this issue on a new machine. I’m using for years, I don’t have this problem about private repo before.