Critical Gitea Docker Bug Under Active Exploitation Exposes Repositories and Secrets

Attackers are exploiting a critical Gitea flaw (CVE-2026-20896) that bypasses authentication with a single HTTP header, exposing repositories and sensitive data.

Sysdig researchers warn that attackers are actively exploiting a critical authentication bypass flaw, tracked as CVE-2026-20896 (CVSS score of 9.8), which affects Gitea official Docker images before version 1.26.3.

“CVE-2026-20896 exploited 13 days after disclosure. One HTTP header. Access on any internet-facing Gitea.” Sysdig Sr. Director of Threat Research Michael Clark wrote. “No password. No token. One header. Sysdig sensors caught the first in-the-wild hit 13 days after the advisory, a VPN-exit scanner that grabbed access.”

Attackers can bypass authentication and gain access to internet-facing Gitea instances, including repositories and sensitive secrets, by sending a single crafted HTTP header with a valid username. The flaw is caused by insecure default settings that accept connections from any IP address instead of restricting access to trusted reverse proxies.

“Gitea’s official Docker image (up to and including 1.26.2) ships REVERSE_PROXY_TRUSTED_PROXIES = * in its default config. If you turn on reverse-proxy login, that wildcard means every source IP is treated as a trusted proxy, so anyone who can reach the port can send an X-WEBAUTH-USER header and get logged in as whoever they want.” reported security researcher Ali Mustafa, who discovered the issue. “No password, no token.”

Gitea can use a reverse proxy to authenticate users by trusting the X-WEBAUTH-USER HTTP header, but only if the request comes from a trusted proxy. Normally, this is protected by an IP allowlist that, by default, trusts only the local machine. However, the official Gitea Docker images are misconfigured: they trust requests from any IP address. As a result, if reverse-proxy authentication is enabled, anyone who can reach the Gitea server can send a crafted HTTP header, impersonate any user, and even gain administrator access. The flaw affects only the official Docker images, not standard or self-built Gitea installations that use the secure default configuration.

“Any process that can reach the Gitea container’s HTTP port directly — not through the intended authenticating proxy — can impersonate any user whose login name is known or guessable.” the researcher said. “Admin accounts are the obvious targets,”

Gitea versions 1.26.3 and 1.26.4 make reverse-proxy authentication an opt-in feature, fixing the flaw.

According to Sysdig, a Shodan query identified around 6,200 internet-exposed Gitea instances, although the number of vulnerable systems remains unknown. Users should update immediately to protect their code and secrets.

“User access on a Gitea box isn’t “a web panel,” it’s your source code.” Clark concluded. “A Gitea user can read and write their repositories, private ones included: the code they ship, the secrets developers committed by accident (API keys, DB credentials, deploy tokens), their CI/CD config, and deploy keys.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CVE-2026-20896)

Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to our Newsletter