Gitea Docker image ships permissive reverse-proxy trusted list, allowing header-based auth bypass
The Gitea Docker image up through 1.26.2 shipped with the reverse-proxy trusted-proxy list set to a wildcard, letting an unauthenticated request that sets an X-WEBAUTH-USER header authenticate as an arbitrary account. Reported by Ali Mustafa (@rz1027) in early June 2026, fixed in Gitea 1.26.3. CVSS 9.8. The Hacker News reported opportunistic scanning against exposed instances on 2026-07-06, 13 days after disclosure; roughly 6,200 internet-facing Gitea instances remained exposed at the time.
- Vendor
- Gitea
- Product
- Gitea Docker image (1.26.2 and earlier)
- CVSS
- 9.8
- EPSS (exploit probability)
- 0.8%
- Status
- exploited-in-wild
- Published
CVE-2026-20896 is an authentication-bypass flaw introduced by an
overly permissive default in the Gitea Docker image. The image’s
reverse-proxy trusted-proxy list was configured to a wildcard rather
than the standard loopback range, so Gitea trusted the X-WEBAUTH-USER
header on any request that reached the container — regardless of source.
That header is Gitea’s reverse-proxy auth handoff, and trusting it from
anywhere collapses authentication to “set a username string.”
Reported by Ali Mustafa (@rz1027). The CVSS 3.1 base score is 9.8 — unauthenticated network attack, low complexity, high impact to confidentiality, integrity, and availability.
Affected
- Gitea Docker image — 1.26.2 and earlier
Source builds installed and configured with the standard loopback trusted-proxy default are not affected — this is specifically a Docker image default problem, not a Gitea core auth flaw.
Patched
- Gitea 1.26.4 (recommended) — Ships the Docker image with the safe trusted-proxy default and also addresses a regression introduced in 1.26.3. Bump straight to 1.26.4; skip 1.26.3.
- Gitea 1.26.3 — release notes, late June 2026. First patch for CVE-2026-20896; superseded by 1.26.4 for the regression.
Timeline
- Early June 2026 — Ali Mustafa reports the flaw to the Gitea project.
- ~2026-06-23 — Public disclosure and fix in Gitea 1.26.3.
- 2026-07-06 — The Hacker News reports opportunistic scanning against internet-facing Gitea instances; roughly 6,200 remain exposed.
- 2026-07-10 — BleepingComputer reports active exploitation confirmed by Sysdig’s Michael Clark (“first in-the-wild hit 13 days after the advisory, a VPN-exit scanner that grabbed access”). Singapore CSA publishes alert AL-2026-083. Gitea 1.26.4 released to fix a regression in 1.26.3.
KEV status
Not on CISA’s Known Exploited Vulnerabilities catalog at time of publication. Check the catalog directly for updates.
Sourcing
- BleepingComputer: Hackers exploit critical auth bypass in Gitea Docker image (2026-07-10)
- Singapore CSA: Alert AL-2026-083 (2026-07-10)
- Gitea: GHSA-f75j-4cw6-rmx4
- The Hacker News: Threat Actors Probe Gitea Docker Flaw CVE-2026-20896 13 Days After Disclosure (2026-07-06)
- Gitea: v1.26.3 release notes
- CISA KEV: known-exploited-vulnerabilities-catalog
