CVE-2026-20896
Gitea · Gitea Open Source Git Server
A default configuration error in Gitea Docker images allows unauthenticated attackers to spoof user identities via reverse-proxy authentication headers.
Executive summary
A critical authentication bypass vulnerability in Gitea's default Docker configuration allows remote attackers to impersonate any user, leading to total unauthorized access to the repository server.
Vulnerability
The application incorrectly defaults to trusting all reverse-proxy headers (REVERSE_PROXY_TRUSTED_PROXIES=*), which permits an unauthenticated attacker to inject headers like X-WEBAUTH-USER to masquerade as any authenticated user.
Business impact
The ability to impersonate any user, including administrative accounts, grants an attacker full control over the Git infrastructure. This poses a significant risk of intellectual property theft, unauthorized code injection into production pipelines, and total system compromise. With a CVSS score of 9.8, this is an extremely high-risk vulnerability that could lead to catastrophic business disruption.
Remediation
Immediate Action: Update Gitea to the latest version and explicitly configure the REVERSE_PROXY_TRUSTED_PROXIES setting to only include authorized IP addresses of known proxies.
Proactive Monitoring: Audit access logs for suspicious authentication patterns or inconsistencies in user identity headers.
Compensating Controls: If an immediate update is not feasible, restrict network access to the Gitea instance to trusted internal networks only via firewall rules.
Exploitation status
Public Exploit Available: No
Analyst recommendation
This vulnerability represents a fundamental failure in identity verification. Organizations hosting Gitea must treat this as a top-priority remediation, ensuring both the software update is applied and the configuration is hardened to restrict trusted proxy sources.