Full Report
Threat actors have been observed attempting to exploit a recently patched critical security flaw in Gitea Docker images, according to Sysdig. The vulnerability in question is CVE-2026-20896 (CVSS score: 9.8), a vulnerability that stems from the DevOps platform trusting the "X-WEBAUTH-USER" header from any source IP address, effectively allowing an unauthenticated internet client to get elevated
Analysis Summary
# Vulnerability: Insecure Default Trust in Gitea Docker Configuration
## CVE Details
- **CVE ID:** CVE-2026-20896
- **CVSS Score:** 9.8 (Critical)
- **CWE:** CWE-1390 (Weak Authentication) / CWE-1188 (Insecure Default Variable Initialization)
## Affected Systems
- **Products:** Gitea (Official Docker Images)
- **Versions:** Versions prior to and including 1.26.2
- **Configurations:** Systems where `ENABLE_REVERSE_PROXY_AUTHENTICATION` is set to `true` and the system is accessible directly (bypassing the intended proxy).
## Vulnerability Description
This vulnerability arises from an insecure default configuration in the Gitea Docker image’s `app.ini` template. The configuration hard-coded `REVERSE_PROXY_TRUSTED_PROXIES` to a wildcard (`*`), instructing the application to trust the `X-WEBAUTH-USER` HTTP header from any source IP address.
When reverse proxy authentication is enabled, Gitea relies on this header to identify the logged-in user. Because the Docker image trusted all sources by default, an attacker can bypass the authenticating reverse proxy and send a spoofed `X-WEBAUTH-USER` header directly to the Gitea container’s port to impersonate any user, including administrators.
## Exploitation
- **Status:** Exploited in the wild (Reconnaissance and initial probing detected by security researchers).
- **Complexity:** Low
- **Attack Vector:** Network
## Impact
- **Confidentiality:** High (Full access to repositories, user data, and private code).
- **Integrity:** High (Ability to modify code, inject malicious commits, or change administrative settings).
- **Availability:** High (Ability to delete data or disrupt services via administrative access).
## Remediation
### Patches
- **Update to Gitea version 1.26.3 or later.** These versions remove the dangerous `*` wildcard default and make reverse-proxy authentication an opt-in feature with safer defaults (`127.0.0.0/8, ::1/128`).
### Workarounds
- Manually edit the `app.ini` file to restrict `REVERSE_PROXY_TRUSTED_PROXIES` to specific, known IP addresses of your authorized reverse proxies.
- Ensure that the Gitea container's HTTP port is not exposed to the internet and is only reachable by the designated reverse proxy.
## Detection
- **Indicators of Compromise:** Unusual login activity originating from unexpected IP addresses, particularly those associated with VPN services (e.g., `159.26.98[.]241`).
- **Detection Methods:** Monitor web server logs for direct requests containing the `X-WEBAUTH-USER` header that do not originate from the trusted reverse proxy IP. Audit administrative actions for unauthorized changes.
## References
- **Vendor Advisory:** [github[.]com/go-gitea/gitea/security/advisories/GHSA-f75j-4cw6-rmx4]
- **Researcher Report:** [github[.]com/rz1027/CVE-2026-20896]
- **Release Notes:** [blog[.]gitea[.]com/release-of-1.26.3-and-1.26.4/]
- **News Coverage:** [thehackernews[.]com/2026/07/threat-actors-probe-gitea-docker-flaw.html]