CVE: CVE-2026-20896 | CVSS 3.1: 9.8 (Critical) | Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | CWE: CWE-1188 (Insecure Default) | Vendor: Gitea | Product: Gitea Docker Image | Affected versions: Up to and including 1.26.2
What Is the Vulnerability
CVE-2026-20896 is a critical vulnerability in Gitea Docker images caused by a default configuration issue. The shipped app.ini template hard-codes REVERSE_PROXY_TRUSTED_PROXIES = * (wildcard), meaning any source IP address is trusted when reverse-proxy authentication headers such as X-WEBAUTH-USER are used. An unauthenticated attacker who can reach the Gitea Docker port can send a crafted X-WEBAUTH-USER header to impersonate any user, including administrators. This effectively bypasses authentication entirely for any Gitea instance using reverse-proxy login with the default configuration.
Versions Affected
- Gitea Docker images — versions up to and including 1.26.2
Gitea is a widely used self-hosted Git platform similar to GitHub and GitLab, popular in organisations that need an on-premises Git solution.
Exploited?
Yes — threat actors have been observed probing this vulnerability. Sysdig reports that threat actors are attempting to exploit CVE-2026-20896 13 days after disclosure. The vulnerability is trivially exploitable: simply sending a crafted HTTP header to a default Gitea Docker installation is sufficient to gain admin access.
Fix
Gitea has released updates addressing the default configuration issue.
- Primary fix: Update Gitea Docker images to the patched version.
- Configuration fix: Review app.ini to ensure REVERSE_PROXY_TRUSTED_PROXIES is set to specific IP addresses, not a wildcard.
- Workaround: If reverse-proxy authentication is not needed, disable it in the configuration.
Recommendations
- Update immediately: Apply the patched Gitea Docker image version.
- Audit configuration: Check app.ini for REVERSE_PROXY_TRUSTED_PROXIES=* and replace with specific trusted proxy IPs.
- Review access logs: Look for suspicious X-WEBAUTH-USER headers in requests from unexpected IP addresses.
References
- The Hacker News: Gitea Docker Flaw
- NVD Entry for CVE-2026-20896
- Sysdig Research Report
Part of the Vulnerability Intelligence series on threat-modeling.com. July 7, 2026 Report.
