Hackers are actively exploiting a critical authentication bypass vulnerability in the official Docker image for Gitea, the self-hosted Git service used as an alternative to GitHub and GitLab. The flaw, tracked as CVE-2026-20896, allows attackers to impersonate any user, including administrators, on deployments using the default configuration.

How the flaw works

Gitea’s official Docker image ships with REVERSE_PROXY_TRUSTED_PROXIES=*. When reverse-proxy authentication is enabled, a common setup, Gitea trusts the X-WEBAUTH-USER header from any source IP rather than restricting it to a legitimate authenticating proxy. This means an unauthenticated client on the internet can simply set that header to a known or guessable username and gain access as that user, no password or token required.

Michael Clark, lead security researcher at Sysdig, said exploitation began less than two weeks before the vulnerability was publicly disclosed. According to Clark, Sysdig sensors detected the first in-the-wild exploitation attempt 13 days after the advisory, involving a VPN-exit scanner that used the technique to grab access. Admin accounts with predictable names such as “admin” or “gitea_admin” are described as the obvious targets.

Roughly 6,200 Gitea instances are currently exposed on the public web, though it remains unclear how many of them are running vulnerable, unpatched configurations.

Affected versions and fixes

CVE-2026-20896 affects official Gitea Docker images up to and including version 1.26.2 in their default configuration. Gitea released version 1.26.3 to address the issue, followed by 1.26.4 after a regression was introduced in 1.26.3 along with an additional fix. The maintainer advises upgrading directly to 1.26.4.

Mitigation

Singapore’s Cyber Security Agency (CSA) has issued a warning about active exploitation of CVE-2026-20896. For organizations unable to upgrade immediately, CSA recommends:

  • Restricting REVERSE_PROXY_TRUSTED_PROXIES to specific trusted IP addresses instead of the default wildcard (*)
  • Reviewing access logs for suspicious activity to determine whether a compromise has already occurred

Given active exploitation and the low barrier to entry (a single spoofable HTTP header), administrators running Gitea via the official Docker image should treat this as an urgent patching priority.