Skip to content
feed: live
>_ 0dayNews
CVE Record
[ CRITICAL ] CVE-2026-20896

Gitea Docker image ships permissive reverse-proxy trusted list, allowing header-based auth bypass

The Gitea Docker image up through 1.26.2 shipped with the reverse-proxy trusted-proxy list set to a wildcard, letting an unauthenticated request that sets an X-WEBAUTH-USER header authenticate as an arbitrary account. Reported by Ali Mustafa (@rz1027) in early June 2026, fixed in Gitea 1.26.3. CVSS 9.8. The Hacker News reported opportunistic scanning against exposed instances on 2026-07-06, 13 days after disclosure; roughly 6,200 internet-facing Gitea instances remained exposed at the time.

cat cve-2026-20896.json
Vendor
Gitea
Product
Gitea Docker image (1.26.2 and earlier)
CVSS
9.8
EPSS (exploit probability)
0.8%
Status
exploited-in-wild
Published

CVE-2026-20896 is an authentication-bypass flaw introduced by an overly permissive default in the Gitea Docker image. The image’s reverse-proxy trusted-proxy list was configured to a wildcard rather than the standard loopback range, so Gitea trusted the X-WEBAUTH-USER header on any request that reached the container — regardless of source. That header is Gitea’s reverse-proxy auth handoff, and trusting it from anywhere collapses authentication to “set a username string.”

Reported by Ali Mustafa (@rz1027). The CVSS 3.1 base score is 9.8 — unauthenticated network attack, low complexity, high impact to confidentiality, integrity, and availability.

Affected

  • Gitea Docker image — 1.26.2 and earlier

Source builds installed and configured with the standard loopback trusted-proxy default are not affected — this is specifically a Docker image default problem, not a Gitea core auth flaw.

Patched

  • Gitea 1.26.4 (recommended) — Ships the Docker image with the safe trusted-proxy default and also addresses a regression introduced in 1.26.3. Bump straight to 1.26.4; skip 1.26.3.
  • Gitea 1.26.3release notes, late June 2026. First patch for CVE-2026-20896; superseded by 1.26.4 for the regression.

Timeline

  • Early June 2026 — Ali Mustafa reports the flaw to the Gitea project.
  • ~2026-06-23 — Public disclosure and fix in Gitea 1.26.3.
  • 2026-07-06The Hacker News reports opportunistic scanning against internet-facing Gitea instances; roughly 6,200 remain exposed.
  • 2026-07-10BleepingComputer reports active exploitation confirmed by Sysdig’s Michael Clark (“first in-the-wild hit 13 days after the advisory, a VPN-exit scanner that grabbed access”). Singapore CSA publishes alert AL-2026-083. Gitea 1.26.4 released to fix a regression in 1.26.3.

KEV status

Not on CISA’s Known Exploited Vulnerabilities catalog at time of publication. Check the catalog directly for updates.

Sourcing