Threat actors are actively exploiting a critical authentication bypass vulnerability in Gitea’s official Docker images, tracked as CVE-2026-20896, which allows unauthenticated attackers to gain unrestricted access to repositories and sensitive data with a single crafted HTTP header.
Sysdig researchers detected the first in-the-wild exploitation of the flaw just 13 days after the vendor’s advisory was published. The initial hit came from a VPN-exit scanner that probed for accessible Gitea instances and successfully gained access.
A single HTTP header unlocks the kingdom
The vulnerability carries a CVSS score of 9.8 and stems from insecure default configuration in Gitea’s Docker images prior to version 1.26.3. The default image ships with REVERSE_PROXY_TRUSTED_PROXIES = *, meaning every source IP is treated as a trusted reverse proxy by default.
Gitea supports reverse proxy authentication by trusting the X-WEBAUTH-USER HTTP header, but only when the request originates from a trusted proxy IP. The wildcard configuration effectively disables this safeguard, allowing anyone who can reach the service port to send an X-WEBAUTH-USER header and log in as any user, including administrators.
“No password. No token. One header,” said security researcher Ali Mustafa, who discovered the issue. “If you turn on reverse-proxy login, that wildcard means every source IP is treated as a trusted proxy.”
The window between disclosure and active attacks
Sysdig’s threat detection sensors recorded active exploitation attempts beginning 13 days after Gitea released version 1.26.3 with the fix. The attackers used automated scanners to identify internet-facing Gitea instances running vulnerable Docker images, then exploited the header injection to enumerate repositories and extract sensitive secrets.
Organizations using Gitea in Docker deployments should verify they are running version 1.26.3 or later and audit their reverse proxy configuration. Any instance with REVERSE_PROXY_TRUSTED_PROXIES set to a wildcard or overly permissive range should be considered compromised, and repository secrets should be rotated immediately.
Patch today or risk a takeover tomorrow
Operators should update to Gitea 1.26.3 or later, restrict reverse proxy trust to specific IP addresses or subnets, and audit authentication logs for unexpected access patterns. Where feasible, organizations should consider disabling reverse proxy authentication in favor of OAuth or SSO integration for production deployments.
