Overview
Threat actors are actively exploiting a critical authentication bypass vulnerability in the official Docker image for Gitea, the popular self-hosted Git service used by thousands of organizations worldwide. The flaw allows completely unauthenticated attackers to impersonate any user on an affected instance — including administrators — without supplying valid credentials.
What Is Gitea?
Gitea is an open-source, self-hosted Git service similar to GitHub or GitLab. It is widely used by small-to-medium development teams, homelabs, internal enterprise deployments, and open-source projects that prefer to maintain full control over their source code infrastructure. The official Docker image is the most common deployment method.
Vulnerability Details
The authentication bypass exists in the official Gitea Docker image rather than the Gitea application source code itself. A misconfiguration or flaw in the containerized environment allows attackers to bypass the authentication layer entirely, presenting themselves as any user on the system.
Key characteristics of the vulnerability:
- Unauthenticated access — no valid credentials required
- Privilege escalation — impersonation of administrator accounts possible
- Active exploitation — in-the-wild attacks have been confirmed
- Docker image scope — instances deployed via the official Docker image are affected
Potential Impact
An attacker who successfully exploits this vulnerability on a Gitea instance can:
- Read all repositories — including private source code, secrets in code, and configuration files
- Push malicious commits — injecting backdoors into codebases or CI/CD pipeline configurations
- Steal credentials — harvesting SSH keys, API tokens, and webhooks stored in Gitea
- Supply chain attacks — modifying upstream repositories that downstream projects depend on
- Deploy to production — if Gitea is connected to automated CI/CD pipelines
For organizations using Gitea as an internal development hub, a compromise could expose entire codebases, infrastructure-as-code repositories, and deployment secrets.
Who Is at Risk?
Any organization or individual running Gitea via the official Docker image is potentially affected. Self-hosted instances accessible over the internet without additional network-layer protections (VPN, firewall) face the greatest risk. Instances on private networks remain at risk from insiders or attackers who have already achieved network access.
Recommended Actions
- Immediately restrict external access to your Gitea instance — place it behind a VPN or firewall if it is currently internet-facing.
- Check for updates to the official Gitea Docker image and pull the latest patched version:
docker pull gitea/gitea:latest docker-compose pull && docker-compose up -d - Audit access logs — review Gitea's activity log for unexpected user impersonation, repository access from unknown IPs, or newly created SSH keys.
- Rotate all secrets — any SSH keys, API tokens, webhooks, or credentials stored in or accessible via Gitea repositories should be considered compromised until audited.
- Review CI/CD pipelines — verify that no unauthorized commits or configuration changes have been pushed to pipeline definitions.
- Enable 2FA as an additional layer for all administrator accounts once the patch is applied.
Context
This incident is a reminder that container images themselves can be attack surfaces, separate from the application they package. Organizations deploying self-hosted Git services should treat the container image supply chain — including base images and the official image publishing process — as part of their security perimeter.
Gitea deployments are commonly found in environments that also host sensitive internal tooling, making them high-value targets for initial access brokers and supply chain threat actors.