370/69 Wednesday, July 8, 2026

Reports indicate that threat actors have begun scanning systems to identify and attempt exploitation of a Critical security vulnerability, tracked as CVE-2026-20896, in Gitea Docker images just 13 days after the flaw was publicly disclosed. The vulnerability has a CVSS score of 9.8 and directly affects organizations and developers using the DevOps platform. If successfully exploited, remote attackers could access and escalate privileges within the system without authentication and without requiring any password.
The root cause of the vulnerability is the default configuration file, app.ini, inside Gitea Docker images, where the REVERSE_PROXY_TRUSTED_PROXIES variable is set to an asterisk, meaning all IP addresses are trusted. When administrators enable authentication through a reverse proxy, the system trusts the X-WEBAUTH-USER header from any source. As a result, any process that can directly access the Gitea port could impersonate any existing user in the system, including administrator accounts. Cybersecurity firm Sysdig initially reported reconnaissance activity originating from VPN networks and targeting more than 6,200 internet-exposed Gitea servers worldwide. Although full compromise has not yet been observed, the risk remains very high. The vulnerability affects Gitea Docker images version 1.26.2 and all earlier versions.
To prevent and reduce risk, administrators and users who installed Gitea through Docker should immediately update to version 1.26.3. The developers fixed the issue by removing the default setting that allowed all IP addresses and changing reverse proxy authentication to an opt-in feature that must be manually enabled. Administrators should also review network configurations to ensure that the variable is configured to trust only internal and trusted IP addresses. In addition, access logs should be reviewed for attempts to send abnormal HTTP headers, which can help protect the organization’s sensitive data from cyber threats more effectively.
Source: https://thehackernews.com/2026/07/threat-actors-probe-gitea-docker-flaw.html
