Overview
- Security vendor Sysdig reported the first in-the-wild probes of CVE-2026-20896 13 days after the public disclosure, with activity described as early reconnaissance rather than confirmed large-scale exploitation.
- The flaw affects Gitea’s official Docker images up to 1.26.2 because the image set REVERSE_PROXY_TRUSTED_PROXIES='*', which makes Gitea trust X-WEBAUTH-USER headers from any source IP.
- Exploitation requires only sending an X-WEBAUTH-USER header with a valid username so an attacker can impersonate users, and admin accounts are obvious high-value targets.
- Gitea fixed the defect by removing the '*' default and making reverse-proxy authentication opt-in in releases 1.26.3 and 1.26.4, and vendors are urging immediate updates and configuration checks.
- Sysdig found roughly 6,200 internet-accessible Gitea instances and warns that successful compromise could expose private repositories, committed secrets, CI/CD configuration, and deploy keys with potential downstream impacts on deployments and supply chains.