CVE-2026-20896: Gitea Docker CVSS 9.8 — Default Wildcard Trust Allows Unauthenticated User Impersonation — Threat Actors Probing

CVE-2026-20896: Gitea Docker CVSS 9.8 — Default Wildcard Trust Allows Unauthenticated User Impersonation — Threat Actors Probing

CVE: CVE-2026-20896 | CVSS 3.1: 9.8 (Critical) | Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | CWE: CWE-1188 (Insecure Default) | Vendor: Gitea | Product: Gitea Docker Image | Affected versions: Up to and including 1.26.2


What Is the Vulnerability

CVE-2026-20896 is a critical vulnerability in Gitea Docker images caused by a default configuration issue. The shipped app.ini template hard-codes REVERSE_PROXY_TRUSTED_PROXIES = * (wildcard), meaning any source IP address is trusted when reverse-proxy authentication headers such as X-WEBAUTH-USER are used. An unauthenticated attacker who can reach the Gitea Docker port can send a crafted X-WEBAUTH-USER header to impersonate any user, including administrators. This effectively bypasses authentication entirely for any Gitea instance using reverse-proxy login with the default configuration.


Versions Affected

  • Gitea Docker images — versions up to and including 1.26.2

Gitea is a widely used self-hosted Git platform similar to GitHub and GitLab, popular in organisations that need an on-premises Git solution.


Exploited?

Yes — threat actors have been observed probing this vulnerability. Sysdig reports that threat actors are attempting to exploit CVE-2026-20896 13 days after disclosure. The vulnerability is trivially exploitable: simply sending a crafted HTTP header to a default Gitea Docker installation is sufficient to gain admin access.


Fix

Gitea has released updates addressing the default configuration issue.

  • Primary fix: Update Gitea Docker images to the patched version.
  • Configuration fix: Review app.ini to ensure REVERSE_PROXY_TRUSTED_PROXIES is set to specific IP addresses, not a wildcard.
  • Workaround: If reverse-proxy authentication is not needed, disable it in the configuration.

Recommendations

  • Update immediately: Apply the patched Gitea Docker image version.
  • Audit configuration: Check app.ini for REVERSE_PROXY_TRUSTED_PROXIES=* and replace with specific trusted proxy IPs.
  • Review access logs: Look for suspicious X-WEBAUTH-USER headers in requests from unexpected IP addresses.

References


Part of the Vulnerability Intelligence series on threat-modeling.com. July 7, 2026 Report.

Connect with me

Enter your Email address if you want to connect and receive threat modeling updates (I won’t spam you or share your contact details).

AND / OR

Try my threat modeling tool, it's completely free to use.

Thanks for signing up!