PT-2026-52216 · Gitea · Gitea

Joshua Martinelle

+1

·

Published

2026-06-25

·

Updated

2026-07-07

·

CVE-2026-20896

CVSS v3.1

9.8

Critical

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions Gitea Docker image versions prior to 1.26.3
Description The Gitea Docker image contains a configuration flaw where the REVERSE PROXY TRUSTED PROXIES variable defaults to *. When reverse-proxy authentication is enabled, the system trusts the X-WEBAUTH-USER header from any source IP address. This allows an unauthenticated remote attacker to spoof the X-WEBAUTH-USER header to impersonate any user, including administrators, and bypass authentication entirely. Approximately 6,200 internet-facing instances are estimated to be affected, and active probing by threat actors has been detected. Successful exploitation could grant access to repositories, CI/CD secrets, SSH keys, and administrative functions.
Recommendations Update Gitea Docker image to version 1.26.3 or 1.26.4. As a temporary workaround, set the REVERSE PROXY TRUSTED PROXIES variable to 127.0.0.0/8,::1/128 or the actual IP addresses of the trusted proxies.

Fix

Improper Access Control

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-20896

Affected Products

Gitea