Critical Gitea Docker Flaw Under Active Exploitation: Patch Now
Threat actors are actively attempting to exploit **CVE-2026-20896**, a critical vulnerability found in **Gitea** Docker images. This flaw, stemming from an insecure default configuration, allows unauthenticated attackers to gain elevated access, potentially leading to full administrative control. IT security professionals and users are urged to patch immediately.
Threat actors have been observed attempting to exploit a recently patched critical security flaw in **Gitea** Docker images, according to **Sysdig**.

## The Vulnerability: CVE-2026-20896
The vulnerability in question is **CVE-2026-20896** (CVSS score: 9.8). This critical flaw arises from the DevOps platform's default configuration, which trusts the "X-WEBAUTH-USER" header from any source IP address. This effectively allows an unauthenticated internet client to obtain elevated access.
## Insecure Defaults in Docker Images
Security researcher **Ali Mustafa** (@rz1027), credited with discovering and reporting the flaw, explained that **Gitea** Docker images shipped with an `app.ini` template that hard-coded `REVERSE_PROXY_TRUSTED_PROXIES = *` by default. The `app.ini` file is a core configuration file for managing server parameters, database connections, security behavior, and application settings.
Mustafa stated: "With reverse-proxy login enabled, that wildcard trusts every source IP, so anyone who could reach the port could send an X-WEBAUTH-USER header and be authenticated as any user, with no password and no token. With auto-registration on, an admin username gives admin."
## The Impact of a Wildcard Trust
The documented safe value for the `REVERSE_PROXY_TRUSTED_PROXIES` internal variable is `127.0.0.0/8,::1/128`, meaning only localhost (the loopback interface) is allowed as a trusted proxy server. However, the official Docker image did not use this secure default, instead hard-coding `*`. This effectively nullified the allowlist check.
When an administrator enabled `ENABLE_REVERSE_PROXY_AUTHENTICATION = true` to place **Gitea** behind an authenticating reverse proxy, and left the `REVERSE_PROXY_TRUSTED_PROXIES` setting at its default wildcard value, it permitted a `X-WEBAUTH-USER` custom HTTP header from any source IP that could reach the container directly.
According to **Gitea**'s advisory, "Any process that can reach the Gitea container's HTTP port directly β not through the intended authenticating proxy β can impersonate any user whose login name is known or guessable. Admin accounts (admin, gitea_admin, etc.) are the obvious targets."
## Affected Versions and Patch
The vulnerability affects **Gitea** Docker images versions up to and including **1.26.2**. The issue has been addressed in **version 1.26.3**, released late last month. This update removes the `*` wildcard and makes reverse-proxy authentication opt-in, significantly enhancing security.
## In-the-Wild Exploitation Attempts
Cloud security company **Sysdig** has since revealed it detected the first in-the-wild exploitation attempt 13 days after the public disclosure of the vulnerability. Approximately 6,200 **Gitea** instances are currently internet-facing.
**Michael Clark**, senior director of threat research at **Sysdig**, noted: "So far, the activities have been related to initial investigation by the threat actor. While we saw the first action from an IP from the **ProtonVPN** service, 159.26.98[.]241, it has not so far progressed to any exploitation or attack progress. We think this is because we have seen this one early before it has had the chance to develop beyond that initial phase."
Given the severity of **CVE-2026-20896**, it is crucial for users to apply the available fixes as soon as possible to ensure optimal protection against potential exploitation.