Critical Gitea Docker Auth Bypass CVE-2026-20896 Actively Exploited, Patch Now
A critical authentication bypass vulnerability, CVE-2026-20896, affects official Gitea Docker images through version 1.26.2, allowing attackers to impersonate any user, including administrators, by spoofing a single HTTP header called X-WEBAUTH-USER. The flaw stems from a misconfigured default setting in the Docker images that causes Gitea to accept reverse-proxy identity headers from untrusted sources. Exploitation began in the wild just 13 days after the advisory was published, with active scanning observed and alerts issued by Singapore's Cybersecurity Agency. Approximately 6,200 Gitea instances are publicly reachable on the internet, putting repositories, CI/CD secrets, and downstream pipelines at risk of full compromise. Gitea has released version 1.26.4 as the recommended fix, since 1.26.3 addressed the flaw but introduced a regression, and administrators are urged to restrict REVERSE_PROXY_TRUSTED_PROXIES to explicit trusted IP addresses.
This is an AI-generated summary. ShortSingh links to the original source for the complete article.

Discussion (0)
Log in to join the discussion and vote.
Log in