diff --git a/doc/configuration.rst b/doc/configuration.rst
index 5544444..4e0b00f 100644
--- a/doc/configuration.rst
+++ b/doc/configuration.rst
@@ -1069,6 +1069,21 @@ the user interface of this pagure instance.
 Defaults to: ``ENABLE_DEL_PROJECTS``
 
 
+GIT_HOOK_DB_RO
+~~~~~~~~~~~~~~
+
+This configuration key specifies if the git hook have a read-only (RO) access
+to the database or not.
+Some pagure deployment provide an actual shell account on the host and thus the
+git hook called upon git push are executed under that account. If the user
+manages to by-pass git and is able to access the configuration file, they could
+have access to "private" information. So in those deployments the git hooks
+have a specific configuration file with a database access that is read-only,
+making pagure behave differently in those situations.
+
+Defaults to: ``False``
+
+
 EMAIL_SEND
 ~~~~~~~~~~
 
diff --git a/pagure/hooks/default.py b/pagure/hooks/default.py
index cc62020..770ea6c 100644
--- a/pagure/hooks/default.py
+++ b/pagure/hooks/default.py
@@ -330,12 +330,20 @@ class DefaultRunner(BaseRunner):
 
         # Refresh of all opened PRs
         parent = project.parent or project
-        pagure.lib.tasks.refresh_pr_cache(
-            parent.name,
-            parent.namespace,
-            parent.user.user if parent.is_fork else None,
-            but_uids=pr_uids,
-        )
+        if _config.get("GIT_HOOK_DB_RO", False):
+            pagure.lib.tasks.refresh_pr_cache(
+                parent.name,
+                parent.namespace,
+                parent.user.user if parent.is_fork else None,
+                but_uids=pr_uids,
+            )
+        else:
+            pagure.lib.tasks.refresh_pr_cache.delay(
+                parent.name,
+                parent.namespace,
+                parent.user.user if parent.is_fork else None,
+                but_uids=pr_uids,
+            )
 
         if not project.is_on_repospanner and _config.get(
             "GIT_GARBAGE_COLLECT", False