Gitea Docker Authentication Bypass Vulnerability Under Active Exploitation

Gitea Docker Authentication Bypass Vulnerability Under Active Exploitation

First seen 7 Jul 2026, 15:00 UTC RescanaSecurityaffairs.Comondoo.comomniware.orgwww.cve.org+1 86% similarity 72.8

Article Content

Browse articles
ThreatCluster

CVE-2026-20896 is a critical authentication bypass vulnerability (CVSS 9.8) affecting Gitea Docker images up to version 1.26.2. Discovered on July 3, 2026, the flaw allows unauthenticated remote attackers to impersonate any user by injecting a crafted X-WEBAUTH-USER HTTP header. Thirteen days post-disclosure, attackers began probing for vulnerable instances, with initial reconnaissance linked to a ProtonVPN exit node. The vulnerability arises from a misconfiguration in the Docker image, which trusts all reverse proxies, disabling critical source validation. Exploitation is straightforward, enabling attackers to gain full access to repositories and sensitive data. The issue is exacerbated by the prevalence of default configurations in Docker deployments. As of now, there is no evidence connecting the exploitation to specific APT groups or organized crime syndicates.

Key Points: • CVE-2026-20896 allows unauthenticated access to Gitea Docker instances. • Exploitation began 13 days after public disclosure, traced to a ProtonVPN exit node. • Default configurations in Docker images exacerbate the vulnerability's impact.

ThreatCluster AI

Timeline

2026-07-03
CVE-2026-20896 published
Gitea Docker authentication bypass vulnerability disclosed, affecting versions up to 1.26.2.
Rescana
2026-07-06
First public PoC released
Proof of concept for CVE-2026-20896 made public, demonstrating the exploit method.
Rescana
2026-07-07
Active exploitation reported
Researchers confirm active exploitation of CVE-2026-20896, with attackers targeting vulnerable Gitea instances.
Securityaffairs.Co

Community

Browse all →