Critical Gitea Docker Flaw Actively Exploited: Full Admin Control Possible
A severe authentication bypass vulnerability in the official **Gitea** Docker image, tracked as **CVE-2026-20896**, is under active exploitation. This flaw allows attackers to impersonate any user, including administrators, in deployments using default configurations with reverse proxy authentication headers enabled. IT security professionals and privacy-conscious users are urged to take immediate action to secure their **Gitea** instances.
Hackers are actively exploiting a critical vulnerability in the official Docker image for the **Gitea** self-hosted Git service, allowing unauthenticated attackers to gain full administrative control.
### The Vulnerability: CVE-2026-20896
The security flaw, identified as **CVE-2026-20896**, is an authentication bypass that affects **Gitea** deployments utilizing the default configuration where reverse proxy authentication headers, such as `X-WEBAUTH-USER`, are enabled. This critical issue allows attackers to impersonate any user simply by manipulating a single header.
**Michael Clark**, a leading security researcher at **Sysdig**, confirmed that in-the-wild exploitation began less than two weeks before the vulnerability was publicly disclosed. **Clark** highlighted the simplicity of the attack:
"**Gitea**'s official Docker image ships `REVERSE_PROXY_TRUSTED_PROXIES=*`. With reverse-proxy authentication enabled, **Gitea** then trusts the `X-WEBAUTH-USER` header from any source IP so an unauthenticated internet client becomes whoever it claims to be. No password. No token. One header. **Sysdig** sensors caught the first in-the-wild hit 13 days after the advisory, a VPN-exit scanner that grabbed access."
### Scope of Impact
**Gitea** is a popular open-source alternative to **GitHub** and **GitLab**, used for source code management, collaboration, and CI/CD operations. Approximately 6,200 **Gitea** instances are currently exposed on the public internet, though the exact number of vulnerable deployments remains unclear.
The flaw stems from the **Gitea** official Docker image's default configuration, which sets `REVERSE_PROXY_TRUSTED_PROXIES` to a wildcard `*`. This allows **Gitea** to trust identity headers from any client IP address, rather than restricting trust to specific, known reverse proxies. Consequently, any process capable of directly reaching the **Gitea** container's HTTP port (bypassing the intended authenticating proxy) can impersonate any user, with administrator accounts being prime targets.
### Remediation and Recommendations
The **CVE-2026-20896** critical bug impacts official **Gitea** Docker images up to and including version 1.26.2 in their default configurations.
**Gitea** has released versions **1.26.3** and **1.26.4** to address this vulnerability. Users are strongly advised to upgrade immediately to the most recent release, which also includes fixes for an additional issue and a regression introduced in version **1.26.3**.

Singaporeβs cybersecurity agency (**CSA**) has also issued a warning regarding the active exploitation of **CVE-2026-20896**. For instances where immediate upgrading is not feasible, the **CSA** recommends a crucial mitigation step: restricting the `REVERSE_PROXY_TRUSTED_PROXIES` setting to specific trusted IP addresses instead of using the default wildcard `*`.
Furthermore, organizations should meticulously review their access logs for any suspicious activity to determine if a compromise has already occurred. Proactive monitoring and rapid response are essential in mitigating the risks posed by this actively exploited vulnerability.