← All articles

Gitea Docker images trusted a forged header, letting anyone log in as any user

Attackers have started probing a critical flaw in Gitea's official Docker images, the self-hosted Git service used by many development teams. The images shipped a configuration that trusted the X-WEBAUTH-USER header from any source address, so with reverse-proxy login enabled, anyone who could reach the port could send that header and be authenticated as any user, no password required. Tracked as CVE-2026-20896 and rated 9.8, it was fixed in version 1.26.3 late last month, which removes the wildcard and makes reverse-proxy authentication opt-in. Sysdig reported the first exploitation attempt 13 days after disclosure, so far just reconnaissance, against some of the roughly 6,200 internet-facing Gitea instances.

Check
Check whether you run Gitea from its Docker image and on what version, review the app.ini reverse-proxy trusted-proxies setting for a wildcard, and whether the instance is internet-reachable.
Affected
Self-hosted Gitea Docker deployments on version 1.26.2 or earlier with reverse-proxy login enabled (CVE-2026-20896); an unauthenticated attacker who can reach the service can impersonate any user by forging one header.
Fix
Update Gitea to 1.26.3 or later, remove the wildcard from the reverse-proxy trusted-proxies setting, keep management interfaces off the public internet, and review logs for spoofed X-WEBAUTH-USER authentication attempts.