Gitea Docker CVE-2026-20896 Auth Bypass

Gitea Docker CVE-2026-20896

Gitea Docker CVE-2026-20896 is now under active exploitation: a single crafted HTTP header lets an unauthenticated attacker impersonate any user of a self-hosted Gitea instance — including an administrator — and walk away with private repositories and any secrets committed by mistake.

What Happened

Gitea’s official Docker image ships with REVERSE_PROXY_TRUSTED_PROXIES=*. On deployments that also enable reverse-proxy authentication (a common configuration for teams putting Gitea behind Nginx or Traefik), Gitea trusts the X-WEBAUTH-USER header from any source IP address. An unauthenticated internet client can simply set that header to “admin” and be treated as the administrator — no password, no session token, no second factor. Gitea CVE-2026-20896 carries a CVSS score of 9.8.

Sysdig researchers confirmed the first in-the-wild exploitation attempt 13 days after public disclosure, traced to a ProtonVPN exit node. A Shodan query turned up roughly 6,200 internet-exposed Gitea instances; the true number of vulnerable, unpatched deployments is unknown because the flaw depends on a configuration detail, not just a version number.

Successful exploitation grants full read/write access to private repositories and any credentials developers may have committed by mistake — API keys, database passwords, CI/CD tokens, and deploy keys. For a Git server, that is effectively the keys to every downstream system the code touches.

Why It Matters

Self-hosted Git is popular with DACH Mittelstand engineering teams precisely because it avoids cloud vendor lock-in and keeps source code on-premises or in a controlled hosting environment. But self-hosted also means self-patched — there is no platform vendor pushing an automatic update, and the reverse-proxy configuration that triggers this flaw is exactly the kind of “it’s been working fine for two years” setting nobody revisits. A compromised Git server does not stay contained to source code: CI/CD tokens harvested from repository secrets extend the blast radius directly into cloud infrastructure, container registries, and production deployment pipelines.

What You Should Do Now

  1. Upgrade Gitea to version 1.26.3 or 1.26.4 immediately — both versions fix CVE-2026-20896.
  2. Verify exposure: check whether your Gitea deployment has reverse-proxy authentication enabled and whether REVERSE_PROXY_TRUSTED_PROXIES is set to the wildcard * in your Docker configuration.
  3. If an immediate upgrade isn’t possible, restrict REVERSE_PROXY_TRUSTED_PROXIES to the specific, trusted IP address of your reverse proxy — never the wildcard.
  4. Audit committed secrets: rotate any API keys, database credentials, or deploy tokens that may have been stored in repositories accessible to the Gitea instance, and review access logs for unexpected X-WEBAUTH-USER header values from unfamiliar source IPs.

DIESEC Perspective

This is a pattern we see regularly in Mittelstand environments: a self-hosted developer tool gets stood up once, works reliably for years, and nobody owns its patch cadence going forward. The reverse-proxy trust setting behind this vulnerability is exactly the kind of default that survives multiple infrastructure migrations unquestioned — until it becomes the single header standing between an anonymous internet request and full administrative access.

Not sure whether your self-hosted developer infrastructure has this gap? Contact DIESEC for a rapid configuration review of your Git hosting and CI/CD secret exposure.

Sources: BleepingComputer | The Hacker News
Published: 2026-07-14 | Category: Vulnerabilities & Patches | ~4 min read