Particle.news

Gitea Docker Authentication Bypass Probed in the Wild

The bug lets anyone who can reach an exposed container set a single HTTP header to impersonate users and access code and secrets.

Overview

  • Security vendor Sysdig reported the first in-the-wild probes of CVE-2026-20896 13 days after the public disclosure, with activity described as early reconnaissance rather than confirmed large-scale exploitation.
  • The flaw affects Gitea’s official Docker images up to 1.26.2 because the image set REVERSE_PROXY_TRUSTED_PROXIES='*', which makes Gitea trust X-WEBAUTH-USER headers from any source IP.
  • Exploitation requires only sending an X-WEBAUTH-USER header with a valid username so an attacker can impersonate users, and admin accounts are obvious high-value targets.
  • Gitea fixed the defect by removing the '*' default and making reverse-proxy authentication opt-in in releases 1.26.3 and 1.26.4, and vendors are urging immediate updates and configuration checks.
  • Sysdig found roughly 6,200 internet-accessible Gitea instances and warns that successful compromise could expose private repositories, committed secrets, CI/CD configuration, and deploy keys with potential downstream impacts on deployments and supply chains.