What happened
Hackers are actively exploiting a critical authentication bypass vulnerability in the official Docker image for Gitea, the self-hosted Git platform used for source code management, pull requests, collaboration, deployment, and CI/CD workflows. The flaw is tracked as CVE-2026-20896 and affects official Gitea Docker images up to and including version 1.26.2.
The issue comes from the Docker image’s default reverse-proxy configuration. When reverse-proxy authentication is enabled, Gitea trusted the X-WEBAUTH-USER header from any source IP address instead of only from trusted reverse proxies. That means any client able to reach the Gitea container’s HTTP port directly could send a crafted header and impersonate a known or guessable user, including administrator accounts.
Sysdig security researcher Michael Clark confirmed that exploitation began less than two weeks after the vulnerability was publicly disclosed. Sysdig sensors detected the first in-the-wild activity 13 days after the advisory, involving a VPN-exit scanner that attempted to use the flaw for access. Around 6,200 Gitea instances are exposed on the public web, though it is unclear how many are vulnerable or already patched.
Gitea released versions 1.26.3 and 1.26.4 to address the vulnerability and advised users to upgrade directly to the latest release because version 1.26.4 also fixes an additional issue and a regression introduced in 1.26.3. Singapore’s Cyber Security Agency also warned that CVE-2026-20896 is being actively exploited and recommended restricting the REVERSE_PROXY_TRUSTED_PROXIES setting to specific trusted IP addresses if immediate upgrading is not possible.
Who is affected
Organizations using official Gitea Docker images up to version 1.26.2 are directly affected if reverse-proxy authentication is enabled and the container’s HTTP port can be reached directly.
The risk is highest for internet-facing Gitea instances and any deployment where attackers can reach the Gitea container without passing through the intended authenticating reverse proxy.
Development teams, DevOps groups, and organizations using Gitea for private repositories, pull requests, CI/CD workflows, and deployment automation should treat vulnerable systems as high priority because administrator impersonation can expose source code, secrets, build pipelines, and internal development activity.
Why CISOs should care
This flaw shows how a single unsafe container default can turn a legitimate authentication setup into a full access-control failure. Reverse-proxy authentication depends on the application trusting only headers added by the correct proxy, not headers supplied directly by any client.
For CISOs, the source code platform angle is critical. A compromised Gitea instance can expose private repositories, deployment scripts, CI/CD secrets, access tokens, and sensitive engineering discussions.
The active exploitation also matters. Sysdig observed probing within 13 days of disclosure, showing that attackers are quickly testing exposed DevOps infrastructure once public details become available.
The issue also reinforces that containerized applications need configuration review, not just version tracking. Even when the application itself is deployed behind a proxy, direct container reachability and trusted-header settings can create serious bypass paths.
3 practical actions
- Upgrade Gitea Docker deployments: Update official Gitea Docker images to version 1.26.4 or later, prioritizing internet-facing and business-critical source code platforms.
- Restrict direct container access: Ensure attackers cannot reach the Gitea container’s HTTP port directly. Access should flow only through the intended reverse proxy, with firewall rules and network controls enforcing that path.
- Review reverse-proxy authentication settings and logs: Limit REVERSE_PROXY_TRUSTED_PROXIES to specific trusted proxy IP addresses, remove wildcard trust, and review access logs for suspicious X-WEBAUTH-USER headers, unexpected admin activity, or logins from unfamiliar infrastructure.
Recent cyber news:
John Kevin Hao is a news and feature writer covering cybersecurity, technology, and business targeted for professional audiences.

