Attackers Probe Critical Gitea Docker Auth-Bypass Flaw CVE-2026-20896

Sysdig detected the first exploitation attempts against CVE-2026-20896, a CVSS 9.8 Gitea Docker flaw that lets any reachable IP impersonate admin users via a spoofed X-WEBAUTH-USER header.

Key Takeaways

  • CVE-2026-20896 is a CVSS 9.8 auth-bypass flaw in official Gitea Docker images through 1.26.2 that lets any reachable IP impersonate users, including admins, via a spoofed X-WEBAUTH-USER header.
  • The bug stems from a hard-coded wildcard trusted-proxies setting in the container's app.ini template; with reverse-proxy auth and auto-registration enabled, attackers gain full admin access without a password or token.
  • Sysdig detected the first in-the-wild exploitation attempts 13 days after disclosure, traced to a ProtonVPN IP and so far limited to reconnaissance.
  • FOFA scans show about 244,500 Gitea fingerprints online, with roughly 6,200 confirmed directly exposed instances.
  • Fixes: upgrade Docker images to Gitea 1.26.3 or 1.26.4, or at minimum set trusted-proxies to the safe loopback value; unpatched teams should audit admin logins and disable reverse-proxy auth.

Attackers Probe Critical Gitea Docker Auth-Bypass Flaw CVE-2026-20896

Threat actors have begun probing internet-facing Gitea Docker deployments for CVE-2026-20896, a critical CVSS 9.8 authentication-bypass flaw that lets an attacker impersonate any user, including admins, with a single spoofed HTTP header, cloud security firm Sysdig warned on July 6.

How the flaw works

The bug lives in the official Gitea Docker images shipped through version 1.26.2. The container ships an app.ini template that hard-codes the reverse-proxy trusted-proxies setting to a wildcard, so whenever an admin enables reverse-proxy authentication, Gitea will trust an X-WEBAUTH-USER header sent from any source IP that can reach the container. With auto-registration on, an attacker who sends an admin header gets full admin access, with no password and no token. Discovered by researcher Ali Mustafa, the flaw was patched in Gitea 1.26.3, which removes the wildcard and makes reverse-proxy auth opt-in.

Active exploitation attempts

Sysdig's Threat Research Team detected the first in-the-wild exploitation attempt 13 days after public disclosure. So far, the traffic, traced to a ProtonVPN IP, has stayed at reconnaissance rather than escalating to post-exploitation, Sysdig senior director Michael Clark said. FOFA scans surface around 244,500 Gitea fingerprints on the public internet, with roughly 6,200 confirmed instances directly exposed.

Server rack with cybersecurity alerting overlay

What defenders should do now

Gitea's advisory urges administrators to upgrade Docker images to 1.26.3 or 1.26.4 immediately, or, at minimum, set the trusted-proxies setting to the documented safe loopback value. Teams that cannot patch straight away should audit admin account activity for anomalous logins and disable reverse-proxy authentication until the container is upgraded.

The Gitea disclosure follows other high-severity DevOps and container flaws tracked on The Robotics Media, including the May Gitea container registry bug, CISA's SharePoint RCE alert, and Chrome 151's security bundle.

Reporting based on coverage from The Hacker News, Sysdig, and the Gitea security advisory.

Category: Cyber Security

Tags: AI Cybersecurity CVE

Related Articles

Frequently Asked Questions

What is CVE-2026-20896?

A critical CVSS 9.8 authentication-bypass vulnerability in official Gitea Docker images through version 1.26.2. A wildcard trusted-proxies setting in the shipped app.ini template makes Gitea trust an X-WEBAUTH-USER header from any source IP when reverse-proxy authentication is enabled, allowing attackers to impersonate any user, including admins.

Is CVE-2026-20896 being actively exploited?

Sysdig's Threat Research Team detected the first exploitation attempts 13 days after public disclosure. The traffic, traced to a ProtonVPN IP, has so far remained at the reconnaissance stage rather than escalating to post-exploitation.

How do I fix or mitigate the Gitea Docker auth-bypass flaw?

Upgrade Docker images to Gitea 1.26.3 or 1.26.4, which remove the wildcard and make reverse-proxy auth opt-in. If you cannot patch immediately, set trusted-proxies to the documented safe loopback value, audit admin accounts for anomalous logins, and disable reverse-proxy authentication until upgraded.

How many Gitea instances are exposed to this vulnerability?

FOFA scans surface around 244,500 Gitea fingerprints on the public internet, with roughly 6,200 confirmed instances directly exposed.