Back to advisories

Critical Gitea Flaw Under Active Exploitation, Researchers Warn

Critical vulnerability CVE-2026-20896 in Gitea's reverse-proxy authentication is under active exploitation. Attackers bypass authentication by spoofing a single HTTP header to gain unauthorized access to repositories and secrets. Gitea Docker images prior to version 1.26.3 are vulnerable due to default misconfiguration.

CRITICALAdvisoryJul 09, 2026
Action required
Immediately inventory all Gitea instances. Upgrade Docker images to version 1.26.3 or later. For instances behind proxies running older versions, disable reverse-proxy authentication or implement strict source IP allowlisting. Hunt for unauthorized repository access and credential exfiltration in logs.
Affected products
GiteaDocker images