diff --git a/tests/integration/repo_migrate_credentials_test.go b/tests/integration/repo_migrate_credentials_test.go
new file mode 100644
index 0000000000..b63ca9b29e
--- /dev/null
+++ b/tests/integration/repo_migrate_credentials_test.go
@@ -0,0 +1,95 @@
+// Copyright 2025 The Forgejo Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package integration
+
+import (
+	"net/http"
+	"net/url"
+	"testing"
+
+	"forgejo.org/models/admin"
+	repo_model "forgejo.org/models/repo"
+	"forgejo.org/models/unittest"
+	user_model "forgejo.org/models/user"
+	"forgejo.org/modules/setting"
+	"forgejo.org/modules/structs"
+	"forgejo.org/modules/test"
+	"forgejo.org/services/migrations"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestRepoMigrateWithCredentials(t *testing.T) {
+	onGiteaRun(t, func(t *testing.T, u *url.URL) {
+		defer test.MockVariableValue(&setting.Migrations.AllowLocalNetworks, true)()
+		require.NoError(t, migrations.Init())
+
+		user2 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
+		session := loginUser(t, "user2")
+
+		t.Run("Incorrect credentials", func(t *testing.T) {
+			session.MakeRequest(t, NewRequestWithValues(t, "POST", "/repo/migrate", map[string]string{
+				"_csrf":         GetCSRF(t, session, "/repo/migrate?service_type=1"),
+				"clone_addr":    u.JoinPath("/user2/repo2").String(),
+				"auth_username": "user2",
+				"auth_password": userPassword + "1",
+				"uid":           "2",
+				"repo_name":     "migrating-with-credentials",
+				"service":       "1",
+			}), http.StatusSeeOther)
+
+			repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{Name: "migrating-with-credentials"}, "is_empty = true")
+			unittest.AssertExistsAndLoadBean(t, &admin.Task{
+				RepoID: repo.ID,
+				Type:   structs.TaskTypeMigrateRepo,
+				Status: structs.TaskStatusFailed,
+			})
+		})
+
+		t.Run("Normal", func(t *testing.T) {
+			session.MakeRequest(t, NewRequestWithValues(t, "POST", "/repo/migrate", map[string]string{
+				"_csrf":         GetCSRF(t, session, "/repo/migrate?service_type=1"),
+				"clone_addr":    u.JoinPath("/user2/repo2").String(),
+				"auth_username": "user2",
+				"auth_password": userPassword,
+				"uid":           "2",
+				"repo_name":     "migrating-with-credentials-2",
+				"service":       "1",
+			}), http.StatusSeeOther)
+
+			repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{Name: "migrating-with-credentials-2"}, "is_empty = false")
+			unittest.AssertExistsAndLoadBean(t, &admin.Task{
+				RepoID: repo.ID,
+				Type:   structs.TaskTypeMigrateRepo,
+				Status: structs.TaskStatusFinished,
+			})
+		})
+
+		t.Run("Dangerous credential", func(t *testing.T) {
+			// Temporaily change the password
+			dangerousPassword := "some`echo foo`thing"
+			require.NoError(t, user2.SetPassword(dangerousPassword))
+			require.NoError(t, user_model.UpdateUserCols(t.Context(), user2, "passwd", "passwd_hash_algo", "salt"))
+
+			session = loginUserWithPassword(t, "user2", dangerousPassword)
+
+			session.MakeRequest(t, NewRequestWithValues(t, "POST", "/repo/migrate", map[string]string{
+				"_csrf":         GetCSRF(t, session, "/repo/migrate?service_type=1"),
+				"clone_addr":    u.JoinPath("/user2/repo2").String(),
+				"auth_username": "user2",
+				"auth_password": dangerousPassword,
+				"uid":           "2",
+				"repo_name":     "migrating-with-credentials-3",
+				"service":       "1",
+			}), http.StatusSeeOther)
+
+			repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{Name: "migrating-with-credentials-3"}, "is_empty = false")
+			unittest.AssertExistsAndLoadBean(t, &admin.Task{
+				RepoID: repo.ID,
+				Type:   structs.TaskTypeMigrateRepo,
+				Status: structs.TaskStatusFinished,
+			})
+		})
+	})
+}