Attackers are actively exploiting a critical authentication bypass vulnerability in Gitea's official Docker images, tracked as CVE-2026-20896. This flaw, with a CVSS score of 9.8, allows unauthorized access to repositories and sensitive data with the transmission of a single HTTP header, as reported by Security Affairs.The vulnerability stems from an insecure default configuration in Gitea's official Docker images (versions prior to 1.26.3) where the "REVERSE_PROXY_TRUSTED_PROXIES" setting is set to "*". This wildcard setting incorrectly trusts any IP address as a legitimate reverse proxy. Consequently, attackers can send a crafted "X-WEBAUTH-USER" HTTP header, impersonating any user, including administrators, without needing a password or token. This bypasses authentication entirely, granting access to private repositories, source code, API keys, database credentials, and deploy keys.While the flaw specifically affects the official Docker images, standard or self-built Gitea installations with secure default configurations are not impacted. Sysdig identified approximately 6,200 internet-exposed Gitea instances, though the exact number of vulnerable systems is unknown. Users are strongly advised to update to Gitea version 1.26.3 or later immediately.Source: Security Affairs
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds




