Threat actors have begun probing a critical security flaw in Gitea’s Docker images, identified as CVE-2026-20896, which carries a CVSS score of 9.8. This vulnerability arises from Gitea’s default configuration that trusts the “X-WEBAUTH-USER” header from any source IP address, potentially granting unauthorized users elevated access.
The issue stems from the Gitea Docker images shipping with an “app.ini” configuration file that sets “REVERSE_PROXY_TRUSTED_PROXIES = *” by default. This setting allows any IP address to be recognized as a trusted proxy. Consequently, if reverse-proxy authentication is enabled, any client can send an “X-WEBAUTH-USER” header and authenticate as any user without requiring a password or token. If auto-registration is also enabled, an attacker could register as an admin user, gaining full administrative privileges.
Gitea’s documentation recommends setting “REVERSE_PROXY_TRUSTED_PROXIES” to “127.0.0.0/8,::1/128” to restrict trusted proxies to localhost. However, the default Docker image configuration deviates from this recommendation by using a wildcard, effectively nullifying the intended security measure.
Versions of Gitea Docker images up to and including 1.26.2 are affected by this vulnerability. The issue has been addressed in version 1.26.3, released in late June 2026, which removes the wildcard setting and makes reverse-proxy authentication opt-in.
Cloud security firm Sysdig reported detecting the first exploitation attempt in the wild 13 days after the vulnerability’s public disclosure. With approximately 6,200 internet-facing Gitea instances, the potential attack surface is significant. Initial activities observed by threat actors have been limited to reconnaissance, with no confirmed exploitation or attack progression to date.
Given the severity of this vulnerability and the active probing by malicious actors, it is imperative for organizations using affected Gitea Docker images to update to the patched version promptly. This incident underscores the importance of adhering to secure default configurations and promptly applying security updates to mitigate potential risks.