User with Developer access what able to merge into a protected branch - why?

Hi guys,
I can’t quite figure this out:

A user with the Developer role was able to merge a branch (that he didn’t own) into a protected branch.

  1. The protected branch has these settings:

Allowed to merge: Maintainers
Allowed to push: Maintainers

  1. Approvals: Optional

Any idea how?