Hackers exploit critical auth bypass in Gitea Docker image

Hackers are actively exploiting a critical vulnerability in the official Docker image for the Gitea self-hosted Git service that allows attackers to impersonate any user, including administrators.
The security flaw is an authentication bypass vulnerability, tracked as CVE-2026-20896, that affects deployments using the default configuration, where reverse proxy authentication headers such as X-WEBAUTH-USER are enabled.
Michael Clark, leading security researcher at Sysdig, confirmed that exploitation of the flaw started less than two weeks before the vulnerability was publicly disclosed.
Currently, there are around 6,200 Gitea instances exposed on the public web, although it is unclear how many of them are vulnerable.
“Gitea's official Docker image ships `REVERSE_PROXY_TRUSTED_PROXIES=*`. With reverse-proxy authentication enabled, Gitea then trusts the `X-WEBAUTH-USER` header from any source IP so an unauthenticated internet client becomes whoever it claims to be,” Clark warned.
“No password. No token. One header. Sysdig sensors caught the first in-the-wild hit 13 days after the advisory, a VPN-exit scanner that grabbed access.”
Gitea is an open-source self-hosted alternative to GitHub and GitLab, used to store source code, manage pull requests, collaborate, deploy, and perform CI/CD operations.
Gitea's official Docker image configured reverse-proxy authentication to trust identity headers from any client IP address rather than only from trusted reverse proxies, allowing unauthenticated attackers to impersonate arbitrary users.
The CVE-2026-20896 critical bug affects the official Gitea Docker images up to and including version 1.26.2 in the default configuration.
The maintainer shared the steps to reproduce it, warning that "any process that can reach the Gitea container's HTTP port directly - not through the intended authenticating proxy - can impersonate any user whose login name is known or guessable. Admin accounts (admin, gitea_admin, etc.) are the obvious targets."
Gitea released versions 1.26.3 and 1.26.4 that address CVE-2026-20896 and advised users to upgrade straight to the most recent release, which fixes an additional issue and a regression introduced in 1.26.3.
Singapore’s cybersecurity agency (CSA) has also issued a warning about CVE-2026-20896 being actively exploited.
If upgrading to a safe version is not possible, CSA recommends restricting the REVERSE_PROXY_TRUSTED_PROXIES setting to specific trusted IP addresses instead of the default wildcard (*).
The agency also recommended reviewing access logs for any suspicious activity to determine if a compromise has already occurred.
Test every layer before attackers do
Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.
The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.
What's Your Reaction?
Like
0
Dislike
0
Love
0
Funny
0
Wow
0
Sad
0
Angry
0

Comments (0)