PT-2026-52216 · Gitea · Gitea
Joshua Martinelle
+1
·
Published
2026-06-25
·
Updated
2026-07-07
·
CVE-2026-20896
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Gitea Docker image versions prior to 1.26.3
Description
The Gitea Docker image contains a configuration flaw where the
REVERSE PROXY TRUSTED PROXIES variable defaults to *. When reverse-proxy authentication is enabled, the system trusts the X-WEBAUTH-USER header from any source IP address. This allows an unauthenticated remote attacker to spoof the X-WEBAUTH-USER header to impersonate any user, including administrators, and bypass authentication entirely. Approximately 6,200 internet-facing instances are estimated to be affected, and active probing by threat actors has been detected. Successful exploitation could grant access to repositories, CI/CD secrets, SSH keys, and administrative functions.Recommendations
Update Gitea Docker image to version 1.26.3 or 1.26.4.
As a temporary workaround, set the
REVERSE PROXY TRUSTED PROXIES variable to 127.0.0.0/8,::1/128 or the actual IP addresses of the trusted proxies.Fix
Improper Access Control
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Gitea