Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1794+ Articles
149+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. Security
  3. CVE-2026-20896: Gitea Docker Image Authentication Bypass
CVE-2026-20896: Gitea Docker Image Authentication Bypass

Critical Security Alert

This vulnerability is actively being exploited. Immediate action is recommended.

SECURITYCRITICALCVE-2026-20896

CVE-2026-20896: Gitea Docker Image Authentication Bypass

All official Gitea Docker images through v1.26.2 ship with a wildcard trusted proxy setting that lets any unauthenticated attacker impersonate any user...

Dylan H.

Security Team

July 4, 2026
4 min read

Affected Products

  • Gitea Docker image (gitea/gitea) ≤ 1.26.2
  • Gitea Rootless Docker image ≤ 1.26.2

Executive Summary

The official Gitea Docker image ships with a hardcoded misconfiguration that completely undermines its reverse proxy authentication feature. Every gitea/gitea Docker image through version 1.26.2 sets REVERSE_PROXY_TRUSTED_PROXIES = * in its app.ini template — meaning the application trusts authentication headers from any source IP, not just the local reverse proxy.

CVSS Score: 9.8 (Critical)
Attack Vector: Network | No Authentication Required | No User Interaction

The flaw is trivially exploitable with a single HTTP request. Gitea 1.26.3 fixes the issue.


Vulnerability Overview

Root Cause

Gitea's documented default for REVERSE_PROXY_TRUSTED_PROXIES is 127.0.0.0/8,::1/128 (loopback only). However, two Docker image template files override this with a wildcard:

  • docker/root/etc/templates/app.ini (line 55)
  • docker/rootless/etc/templates/app.ini (line 52)

When ENABLE_REVERSE_PROXY_AUTHENTICATION = true is active — a common SSO configuration — Gitea reads user identity from the X-WEBAUTH-USER HTTP header. Because of the wildcard, this header is trusted from any IP on the network.

Binary installs and self-compiled builds are not affected. Only Docker image deployments.

Attack Chain

1. Attacker identifies Gitea instance deployed via Docker
2. Checks if reverse proxy authentication is enabled (often visible in UI)
3. Sends HTTP request with forged X-WEBAUTH-USER header
4. Gitea trusts the header from any source IP (wildcard config)
5. Attacker is authenticated as the target user — no credentials needed

The exploit is one command:

curl -H "X-WEBAUTH-USER: admin" http://target-gitea:3000/

Technical Details

Affected Versions

ImageAffected VersionsFixed Version
gitea/gitea (standard)All Docker releases ≤ 1.26.21.26.3
gitea/gitea (rootless)All Docker releases ≤ 1.26.21.26.3
Binary / self-compiledNot affected—

CVE Classification

FieldValue
CVE IDCVE-2026-20896
CVSS 3.1 Score9.8 Critical
VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWECWE-284 (Improper Access Control)
Reported byJoshua Martinelle (Tenable), @rz1027
Fixed inGitea PR #38151 → v1.26.3

Secondary Escalation: Account Creation

If ENABLE_REVERSE_PROXY_AUTO_REGISTRATION = true is also enabled, attackers can not only impersonate existing users but create arbitrary new accounts with any username by simply sending a forged header for a username that doesn't yet exist.


Identifying Affected Deployments

Check Your Configuration

# Check your running Gitea config for the vulnerable setting
docker exec <gitea-container> cat /data/gitea/conf/app.ini | grep -A5 REVERSE_PROXY
 
# Look for the dangerous wildcard:
# REVERSE_PROXY_TRUSTED_PROXIES = *
 
# Safe configuration restricts to your actual proxy:
# REVERSE_PROXY_TRUSTED_PROXIES = 172.17.0.0/16

Vulnerable vs. Safe Configuration

ConfigurationRisk Level
REVERSE_PROXY_TRUSTED_PROXIES = * + auth enabledCritical — actively exploitable
REVERSE_PROXY_TRUSTED_PROXIES = * + auth disabledModerate (no immediate bypass)
REVERSE_PROXY_TRUSTED_PROXIES = 127.0.0.1Safe
Binary / non-Docker deploymentNot affected

Immediate Remediation

Option 1: Upgrade to Gitea 1.26.3 (Recommended)

docker pull gitea/gitea:1.26.3
docker-compose up -d  # or your deployment method

The fix makes reverse proxy authentication explicitly opt-in and requires administrators to set trusted proxy IPs manually.

Option 2: Restrict Trusted Proxies Immediately

If you cannot upgrade right now, lock down the trusted proxy setting to your actual reverse proxy IP:

# /data/gitea/conf/app.ini
[security]
REVERSE_PROXY_TRUSTED_PROXIES = 127.0.0.1  ; loopback only
; Or your specific proxy:
; REVERSE_PROXY_TRUSTED_PROXIES = 192.168.1.10

Then restart Gitea:

docker restart <gitea-container>

Option 3: Disable Reverse Proxy Authentication

If SSO via reverse proxy is not actively in use, disable it entirely:

[service]
ENABLE_REVERSE_PROXY_AUTHENTICATION = false
ENABLE_REVERSE_PROXY_AUTO_REGISTRATION = false

Detection

Check for Exploitation Attempts

# Review Gitea access logs for logins missing standard credentials
docker exec <gitea-container> grep "X-WEBAUTH-USER" /data/gitea/log/gitea.log
 
# Look for unexpected admin logins or account creations
# Check Gitea Admin Panel → Users → filter by creation date

SIEM Detection (Splunk)

index=web sourcetype=access_combined
| where isnotnull(http_header_x_webauth_user)
| stats count by src_ip, http_header_x_webauth_user, dest_host
| where count > 1
| sort -count

References

  • NVD — CVE-2026-20896
  • Gitea Security Advisory — PR #38151
  • Gitea 1.26.3 Release Notes

Related Reading

  • CVE-2026-22874: Gitea SSRF Protection Bypass
  • How to Secure GitHub Actions Workflows with OIDC
#Gitea#Authentication Bypass#Docker#Reverse Proxy#Critical#DevOps Security

Related Articles

CVE-2026-22874: Gitea SSRF Filter Bypass Exposes Cloud Credentials

Gitea versions through 1.26.2 use an incomplete IP filter that allows authenticated users to reach AWS Instance Metadata, Azure WireServer, and...

5 min read

CVE-2026-53483: Dell PowerProtect Data Domain Authentication Bypass — CVSS 9.8

A critical authentication bypass in Dell PowerProtect Data Domain allows unauthenticated remote attackers to gain access to the backup platform. Combined with CVE-2026-53481, full pre-authenticated system compromise is possible.

6 min read

CVE-2026-52830: fast-mcp-telegram Path Traversal Enables Bearer Token Bypass

A critical path traversal vulnerability in the fast-mcp-telegram Telegram MCP Server allows attackers to bypass Bearer token authentication and read...

3 min read
Back to all Security Alerts