Vulnerability Management

Critical Gitea flaw allows authentication bypass via single HTTP header

Attackers are actively exploiting a critical authentication bypass vulnerability in Gitea's official Docker images, tracked as CVE-2026-20896. This flaw, with a CVSS score of 9.8, allows unauthorized access to repositories and sensitive data with the transmission of a single HTTP header, as reported by Security Affairs.

The vulnerability stems from an insecure default configuration in Gitea's official Docker images (versions prior to 1.26.3) where the "REVERSE_PROXY_TRUSTED_PROXIES" setting is set to "*". This wildcard setting incorrectly trusts any IP address as a legitimate reverse proxy. Consequently, attackers can send a crafted "X-WEBAUTH-USER" HTTP header, impersonating any user, including administrators, without needing a password or token. This bypasses authentication entirely, granting access to private repositories, source code, API keys, database credentials, and deploy keys.

While the flaw specifically affects the official Docker images, standard or self-built Gitea installations with secure default configurations are not impacted. Sysdig identified approximately 6,200 internet-exposed Gitea instances, though the exact number of vulnerable systems is unknown. Users are strongly advised to update to Gitea version 1.26.3 or later immediately.

Source: Security Affairs

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds