A critical vulnerability CVE-2026-20896 with a CVSS 9.8 score has been discovered in Docker images of the Gitea platform. It allows an unauthenticated attacker to gain access to any account, including the administrative one — without a password or token. The vulnerability affects all versions of Gitea Docker images up to and including 1.26.2 and has been fixed in version 1.26.3. According to Sysdig, reconnaissance activity targeting vulnerable instances was observed just 13 days after public disclosure, although there have been no confirmed cases of successful exploitation so far. Gitea administrators using Docker deployments with a reverse proxy must update immediately.
Technical nature of the vulnerability
The root cause lies in the app.ini configuration file, which is the central settings file for Gitea, controlling server parameters, database connections, and security behavior. In Gitea Docker images, this template hard-coded the parameter REVERSE_PROXY_TRUSTED_PROXIES = *, which meant that the HTTP header X-WEBAUTH-USER was trusted from any source IP address.
The documented safe value for this parameter is 127.0.0.0/8,::1/128, i.e., trust only for localhost. However, the Docker image ignored this default value, substituting the wildcard * instead. In practice, this rendered the trusted proxy list check meaningless.
The exploitation mechanism works as follows:
- The administrator enables the parameter
ENABLE_REVERSE_PROXY_AUTHENTICATION = truein order to place Gitea behind an authenticating reverse proxy - The parameter
REVERSE_PROXY_TRUSTED_PROXIESremains at its default value (*) - Any process capable of connecting directly to the HTTP port of the Gitea container — bypassing the intended authenticating proxy — can send an arbitrary
X-WEBAUTH-USERheader - The server accepts the header value as the name of an authenticated user without any additional verification
As noted in the official Gitea security advisory, obvious targets include administrative accounts with predictable names: admin, gitea_admin, and similar ones. If automatic user registration is enabled, an attacker can create an account with an administrator’s name and obtain full privileges.
The vulnerability was discovered and disclosed by security researcher Ali Mustafa. The researcher’s public repository contains disclosure details, indicating that technical information sufficient to reproduce the attack is available.
Affected versions and fix
- Affected versions: Gitea Docker images up to and including versions 1.26.2
- Fixed version: 1.26.3 (the wildcard
*was removed, and reverse proxy authentication was switched to an explicit opt-in mode)
It is important to stress that the vulnerability is specific to Gitea Docker images. A standard installation from binary files uses a safe default value. The issue arose from a discrepancy between the documented behavior and the actual configuration shipped in the container image.
Observed activity
According to Sysdig, the first activity related to this vulnerability was detected 13 days after public disclosure. However, it should be noted that this information comes from a single source and represents near-real-time telemetry.
Michael Clark, Senior Director of Threat Research at Sysdig, described the observed activity as initial reconnaissance that had not progressed to exploitation. An IP address 159.26.98[.]241 belonging to the ProtonVPN service was recorded. The use of a VPN service precludes drawing attribution conclusions — this could be either targeted reconnaissance or automated scanning.
The exploitation status should be classified as scanning rather than confirmed exploitation in real environments. According to estimated data, about 6,200 Gitea instances are accessible on the internet, although this figure has not been confirmed by independent measurements.
Impact assessment
The criticality of the vulnerability is determined by several factors. Gitea is widely used by development teams as a self-hosted alternative to GitHub and GitLab. Compromising administrative access to Gitea opens the door to source code modification, injection of malicious commits into the software supply chain, theft of secrets and tokens from repositories, as well as lateral movement within an organization’s infrastructure.
The low barrier to exploitation — sending a single HTTP header is sufficient — combined with a CVSS 9.8 score and publicly available technical details makes this vulnerability a top priority for immediate remediation.
Recommendations
- Immediate update: update your Gitea Docker image to version 1.26.3 or later
- Configuration check: ensure that the
REVERSE_PROXY_TRUSTED_PROXIESparameter inapp.iniis set to127.0.0.0/8,::1/128, not* - Network access audit: ensure that the HTTP port of the Gitea container is not directly accessible from the internet and only accepts connections from the trusted reverse proxy
- Log review: analyze logs for requests containing the
X-WEBAUTH-USERheader from IP addresses that do not belong to your reverse proxy - Account audit: check for suspicious accounts, especially those with administrative privileges, created during the vulnerable period
Organizations using Gitea Docker deployments with reverse proxy authentication must update their image to version 1.26.3 and verify the REVERSE_PROXY_TRUSTED_PROXIES value in the configuration. Given the availability of public technical details, the CVSS 9.8 rating, and observed scanning, the window for safe updating is narrowing — remediation priority should be maximal.