Hackers are actively exploiting a important vulnerability within the official Docker picture of the Gitea self-hosted Git service that enables an attacker to impersonate any person, together with directors.
This safety flaw is an authentication bypass vulnerability tracked as CVE-2026-20896 and impacts deployments that use the default configuration with reverse proxy authentication headers akin to X-WEBAUTH-USER enabled.
Michael Clark, principal safety researcher at Sysdig, confirmed that exploitation of the flaw started lower than two weeks after it was made public.
There are at present roughly 6,200 Gitea situations uncovered on the general public net, however it’s unclear what number of of them are susceptible.
“Gitea’s official Docker picture ships with `REVERSE_PROXY_TRUSTED_PROXIES=*`. When reverse proxy authentication is enabled, Gitea will belief the `X-WEBAUTH-USER` header from any supply IP, making an unauthenticated web consumer who it claims to be,” Clark warned.
“No password. No token. One header. 13 days after the advisory, Sysdig sensors captured the primary actual hit, a VPN exit scanner that gained entry.”
Gitea is an open supply, self-hosted various to GitHub and GitLab for storing supply code, managing pull requests, collaborating, deploying, and performing CI/CD operations.
Gitea’s official Docker picture configured reverse proxy authentication to belief ID headers from any consumer IP deal with, slightly than solely from a trusted reverse proxy, permitting an unauthenticated attacker to impersonate any person.
The important bug CVE-2026-20896 impacts official Gitea Docker photographs as much as model 1.26.2 within the default configuration.
The admin shared steps to breed it and warned that “any course of that may entry the Gitea container’s HTTP port instantly, with out going via the supposed authentication proxy, can impersonate a person whose login identify is understood or guessable. Administrator accounts (admin, gitea_admin, and so forth.) are apparent targets.”
Gitea has launched variations 1.26.3 and 1.26.4 that deal with CVE-2026-20896 and suggested customers to improve on to the most recent launch, which fixes extra points and regressions launched in 1.26.3.
Singapore’s Cyber Safety Authority (CSA) has additionally issued a warning that CVE-2026-20896 is being actively exploited.
If you happen to can not improve to a safe model, CSA recommends proscribing the REVERSE_PROXY_TRUSTED_PROXIES setting to particular trusted IP addresses as an alternative of the default wildcard.
.

Article picture
Safety groups doc 54% of profitable assaults and problem a warning on solely 14%. The remaining strikes invisibly via the setting.
Picus’ whitepaper exhibits find out how to take a look at your SIEM and EDR guidelines in breach and assault simulations to make sure threats go undetected.
Get the white paper
