Sysdig detected the first exploitation attempts against CVE-2026-20896, a CVSS 9.8 Gitea Docker flaw that lets any reachable IP impersonate admin users via a spoofed X-WEBAUTH-USER header.
Key Takeaways
CVE-2026-20896 is a CVSS 9.8 auth-bypass flaw in official Gitea Docker images through 1.26.2 that lets any reachable IP impersonate users, including admins, via a spoofed X-WEBAUTH-USER header.
The bug stems from a hard-coded wildcard trusted-proxies setting in the container's app.ini template; with reverse-proxy auth and auto-registration enabled, attackers gain full admin access without a password or token.
Sysdig detected the first in-the-wild exploitation attempts 13 days after disclosure, traced to a ProtonVPN IP and so far limited to reconnaissance.
FOFA scans show about 244,500 Gitea fingerprints online, with roughly 6,200 confirmed directly exposed instances.
Fixes: upgrade Docker images to Gitea 1.26.3 or 1.26.4, or at minimum set trusted-proxies to the safe loopback value; unpatched teams should audit admin logins and disable reverse-proxy auth.
Kaan Tınmaz
Threat actors have begun probing internet-facing Gitea Docker deployments for CVE-2026-20896, a critical CVSS 9.8 authentication-bypass flaw that lets an attacker impersonate any user, including admins, with a single spoofed HTTP header, cloud security firm Sysdig warned on July 6.
How the flaw works
The bug lives in the official Gitea Docker images shipped through version 1.26.2. The container ships an app.ini template that hard-codes the reverse-proxy trusted-proxies setting to a wildcard, so whenever an admin enables reverse-proxy authentication, Gitea will trust an X-WEBAUTH-USER header sent from any source IP that can reach the container. With auto-registration on, an attacker who sends an admin header gets full admin access, with no password and no token. Discovered by researcher Ali Mustafa, the flaw was patched in Gitea 1.26.3, which removes the wildcard and makes reverse-proxy auth opt-in.
Active exploitation attempts
Sysdig's Threat Research Team detected the first in-the-wild exploitation attempt 13 days after public disclosure. So far, the traffic, traced to a ProtonVPN IP, has stayed at reconnaissance rather than escalating to post-exploitation, Sysdig senior director Michael Clark said. FOFA scans surface around 244,500 Gitea fingerprints on the public internet, with roughly 6,200 confirmed instances directly exposed.
What defenders should do now
Gitea's advisory urges administrators to upgrade Docker images to 1.26.3 or 1.26.4 immediately, or, at minimum, set the trusted-proxies setting to the documented safe loopback value. Teams that cannot patch straight away should audit admin account activity for anomalous logins and disable reverse-proxy authentication until the container is upgraded.
A critical CVSS 9.8 authentication-bypass vulnerability in official Gitea Docker images through version 1.26.2. A wildcard trusted-proxies setting in the shipped app.ini template makes Gitea trust an X-WEBAUTH-USER header from any source IP when reverse-proxy authentication is enabled, allowing attackers to impersonate any user, including admins.
Is CVE-2026-20896 being actively exploited?
Sysdig's Threat Research Team detected the first exploitation attempts 13 days after public disclosure. The traffic, traced to a ProtonVPN IP, has so far remained at the reconnaissance stage rather than escalating to post-exploitation.
How do I fix or mitigate the Gitea Docker auth-bypass flaw?
Upgrade Docker images to Gitea 1.26.3 or 1.26.4, which remove the wildcard and make reverse-proxy auth opt-in. If you cannot patch immediately, set trusted-proxies to the documented safe loopback value, audit admin accounts for anomalous logins, and disable reverse-proxy authentication until upgraded.
How many Gitea instances are exposed to this vulnerability?
FOFA scans surface around 244,500 Gitea fingerprints on the public internet, with roughly 6,200 confirmed instances directly exposed.