Critical Gitea Flaw Under Active Exploitation, Researchers Warn
Critical Gitea vulnerability CVE-2026-20896 is being actively exploited to bypass authentication.
Summary
A critical vulnerability (CVE-2026-20896) in Gitea's reverse-proxy authentication mechanism is being actively exploited by threat actors. The flaw allows attackers to bypass authentication by providing a valid username in a single HTTP header, granting them access to repositories and secrets. This issue specifically affects Gitea Docker images prior to version 1.26.3 due to default settings that do not enforce an allowlist for source IP addresses when behind a proxy. Updates to version 1.26.3/1.26.4 have made reverse-proxy authentication an opt-in feature, mitigating the risk.
Full text
Threat actors are exploiting a vulnerability in Gitea’s reverse-proxy authentication mechanism to access internet-accessible instances by supplying only a valid username. Specific to Gitea’s official Docker images, the critical-severity security defect is tracked as CVE-2026-20896 (CVSS score of 9.8) and can be exploited with a single HTTP header, Sysdig Sr. Director of Threat Research Michael Clark says. The issue exists because, in Gitea Docker images before 1.26.3, the default settings allow connections from any source IP address instead of enforcing an allowlist, security researcher Ali Mustafa, who was credited for finding the bug, explains. If placed behind a proxy, Gitea should trust only a header set by the proxy when reverse-proxy authentication is enabled. Because of the flaw, anyone who could provide a valid username in a header could connect to a vulnerable instance, bypassing authentication. “Any process that can reach the Gitea container’s HTTP port directly — not through the intended authenticating proxy — can impersonate any user whose login name is known or guessable. Admin accounts are the obvious targets,” the researcher notes. The patch that was introduced in Gitea versions 1.26.3 / 1.26.4 makes reverse-proxy authentication an opt-in feature.Advertisement. Scroll to continue reading. According to Clark, CVE-2026-20896’s exploitation started 13 days after public disclosure. The attempt was associated with a “VPN-exit scanner that grabbed access”. “No password. No token. One header. Sysdig sensors caught the first in-the-wild hit 13 days after the advisory,” Clark notes. While Sysdig’s research revealed approximately 6,200 Gitea instances accessible from the internet, it is unclear how many of them are vulnerable. Users are advised to update their Gitea deployments as soon as possible, as the successful exploitation of the vulnerability could lead to the complete compromise of all the code and secrets Gitea holds. “A Gitea user can read and write their repositories, private ones included: the code they ship, the secrets developers committed by accident (API keys, DB credentials, deploy tokens), their CI/CD config, and deploy keys,” Clark notes. Related: Critical Adobe ColdFusion Vulnerability Exploited in Attacks Related: CISA Warns of Actively Exploited Microsoft SharePoint Vulnerability Related: Apple Patches Dozens of Vulnerabilities Across iOS, macOS, and Safari Related: Gitea Vulnerability Exposed 30,000 Deployments to Attacks Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights. More from Ionut Arghire Armored Likho APT Targeting Government, Electric Power EntitiesNorth Korean Hackers Target Open Source Developers in Supply Chain Attacks Proof-of-Concept Exploit Released for Linux ‘Bad Epoll’ Root Access VulnerabilityPrompt Injection Attacks Trick AI Agents Into Making Crypto PaymentsAgentic AI Used to Conduct Ransomware Attack via LangflowMedtronic Data Breach Impacts 3.8 Million PeopleAlleged Scattered Spider Hacker Extradited to USGoogle, FBI Disrupt NetNut Residential Proxy Network Powered by Millions of Devices Latest News County Government Reportedly Paid $1 Million to Cyber Extortion GroupCISA Reportedly Using Anthropic’s Mythos to Scan Government Software for FlawsCritical Adobe ColdFusion Vulnerability Exploited in AttacksIran-Linked Hackers Using Modular C&C Framework in CyberattacksCISO Conversations: Tarah Wheeler, Cybersecurity Leader, Thought Leader and Original ThinkerLinux Kernel Vulnerability Allows VM Escape on Intel and AMD SystemsKeyfactor Scores $1 Billion+ Investment for AI, Post-Quantum SecurityBlogspot-Hosted Payloads Delivered in ‘Veil#Drop’ Attacks Trending Daily Briefing NewsletterSubscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Why Email Security Keeps Failing (And What Has to Change) July 8, 2026 Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more. Register Virtual Event: 2026 Cloud Security Summit July 16, 2026 This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments. Register People on the MoveJames Phillips has been promoted to the role of Vice President, Cybersecurity Risk Management at AT&T.Rafal Los has joined Binary Defense as Chief Strategy Officer.Tracey Mustacchio has joined Everfox as Chief Marketing Officer.More People On The MoveExpert Insights The Shift Toward Business-Aligned Risk Management Moving from isolated, technical data to a continuous risk lifecycle can help organizations align security controls with actual business consequences. (Steve Durbin) How to Conduct a Successful Audit of AI-Driven Software Development As AI-generated code becomes commonplace, CISOs need new audit strategies to measure developer practices, govern AI tool usage, and identify software risks before they reach production. (Matias Madou) Frontier AI: Six Questions Every Enterprise Should Ask Security Vendors From model selection and automation to validation and measurable results, the right questions can help enterprises separate genuine AI capabilities from marketing hype. (Joshua Goldfarb) The AI Token Costs That Can Break Cybersecurity As cybersecurity platforms embrace agentic AI, organizations must balance detection performance against the escalating costs of token consumption, deployment architecture, and AI credits. (Danelle Au) When Information Becomes the Attack Surface – Understanding AI Agent Traps From hidden content injections to cognitive state poisoning, attackers are turning trusted data sources into traps for autonomous AI. (Etay Maor) Flipboard Reddit Whatsapp Whatsapp Email
Indicators of Compromise
- cve — CVE-2026-20896