HackMyIP
← Back to News
2026-07-06 The Hacker News

Critical Gitea Docker Flaw CVE-2026-20896 Actively Exploited Within Days

VulnerabilityCloud SecurityAuthentication

Threat actors began probing a critical security flaw in Gitea Docker images just 13 days after public disclosure, according to cloud security firm Sysdig. Tracked as CVE-2026-20896, the vulnerability carries a CVSS score of 9.8 and stems from the DevOps platform unconditionally trusting the "X-WEBAUTH-USER" HTTP header from any source IP address. This design flaw allows an unauthenticated remote client to impersonate any user, including administrators, without supplying a password or token. The bug was reported by security researcher Ali Mustafa (@rz1027), who explained that the official Gitea Docker image ships an "app.ini" template that hard-codes "REVERSE_PROXY_TRUSTED_PROXIES = *" as its default, instead of the documented safe value of "127.0.0.0/8,::1/128." When an administrator enables reverse-proxy authentication by setting "ENABLE_REVERSE_PROXY_AUTHENTICATION = true" and leaves the trusted-proxies setting untouched, the wildcard effectively disables the allowlist, opening the door to header-based impersonation attacks against any of the roughly 6,200 internet-facing Gitea instances worldwide.

The vulnerability affects Gitea Docker images at versions 1.26.2 and earlier, and has been remediated in version 1.26.3, which removes the wildcard and makes reverse-proxy authentication opt-in. Gitea warned in its advisory that any process capable of reaching the container's HTTP port directly—bypassing the intended authenticating proxy—can impersonate any user whose login name is known or guessable, with obvious targets being default admin accounts such as "admin" or "gitea_admin." Attackers investigating the flaw could use a port scanner to locate exposed Gitea instances and a VPN/proxy detector to assess whether their own traffic is being properly anonymized, or check whether administrator credentials have already been exposed via an email breach checker.

Sysdig reported that the earliest in-the-wild probing activity originated from the IP address 159.26.98[.]241, an endpoint associated with the ProtonVPN service. Senior director of threat research Michael Clark noted that the activity so far appears limited to initial reconnaissance, with no observed progression to full exploitation. "While we saw the first action from an IP from the ProtonVPN service, it has not so far progressed to any exploitation or attack progress," Clark told The Hacker News. "We think this is because we have seen this one early before it has had the chance to develop beyond that initial [stage]." Organizations running Gitea in containerized environments are strongly urged to upgrade to version 1.26.3 immediately, audit their "app.ini" configurations for wildcard trusted-proxy entries, and ensure that no Gitea containers are inadvertently exposed to the public internet without an authenticating reverse proxy in front of them.

Source: The Hacker News →

Related Tools

Check whether this kind of story affects you — free, no signup:

Password Checker →Email Breach Check →Privacy Checkup →

Related Guides

Learn the background behind this story:

Password security basics →Two-factor authentication explained →How to create a strong password →