A critical authentication bypass vulnerability has been exploited in the official Docker image for the self-hosted Git service Gitea. The flaw allows attackers to impersonate any user, including administrators, and is being actively targeted by hackers.
The vulnerability, tracked as CVE-2026-20896, affects deployments using the default configuration where reverse proxy authentication headers such as X-WEBAUTH-USER are enabled. According to Michael Clark, leading security researcher at Sysdig, exploitation of the flaw started less than two weeks before the vulnerability was publicly disclosed.
Gitea’s official Docker image ships with `REVERSE_PROXY_TRUSTED_PROXIES=*`, which trusts identity headers from any client IP address rather than only from trusted reverse proxies. This allows unauthenticated attackers to impersonate arbitrary users, including administrators. Clark warned that ‘No password. No token. One header.’
Sysdig sensors caught the first in-the-wild hit 13 days after the advisory, a VPN-exit scanner that grabbed access.
Gitea is an open-source self-hosted alternative to GitHub and GitLab, used to store source code, manage pull requests, collaborate, deploy, and perform CI/CD operations. The official Docker image of Gitea up to and including version 1.26.2 in the default configuration is affected by the CVE-2026-20896 critical bug.
The maintainer shared the steps to reproduce it, warning that ‘any process that can reach the Gitea container’s HTTP port directly – not through the intended authenticating proxy – can impersonate any user whose login name is known or guessable. Admin accounts (admin, gitea_admin, etc.) are the obvious targets.’
Gitea released versions 1.26.3 and 1.26.4 that address CVE-2026-20896 and advised users to upgrade straight to the most recent release, which fixes an additional issue and a regression introduced in 1.26.3.
Singapore’s cybersecurity agency (CSA) has also issued a warning about CVE-2026-20896 being actively exploited. If upgrading to a safe version is not possible, CSA recommends restricting the `REVERSE_PROXY_TRUSTED_PROXIES` setting to specific trusted IP addresses instead of the default wildcard (*).
The agency also recommended reviewing access logs for any suspicious activity to determine if a compromise has already occurred.
Thousands of Gitea Instances Exposed
There are around 6,200 Gitea instances exposed on the public web, although it is unclear how many of them are vulnerable. This raises concerns about the potential impact of this vulnerability and the need for prompt action to be taken by users.
Impact of the Vulnerability
The CVE-2026-20896 critical bug allows attackers to impersonate any user, including administrators, without requiring a password or token. This can lead to unauthorized access to sensitive data and systems, highlighting the importance of addressing this vulnerability promptly.
Mitigation and Recommendations
Gitea has released versions 1.26.3 and 1.26.4 that address CVE-2026-20896. Users are advised to upgrade straight to the most recent release, which fixes an additional issue and a regression introduced in 1.26.3. If upgrading is not possible, CSA recommends restricting the `REVERSE_PROXY_TRUSTED_PROXIES` setting to specific trusted IP addresses instead of the default wildcard (*).
Conclusion
The critical auth bypass vulnerability in Gitea Docker image has been exploited by hackers, exposing thousands of instances to potential attacks. Users are advised to take prompt action to address this vulnerability and prevent unauthorized access to sensitive data and systems.
Source: Original article