Threat Actors Probe Gitea Docker Flaw CVE-2026-20896 13 Days After Disclosure

Threat Actors Probe Gitea Docker Flaw CVE-2026-20896 13 Days After Disclosure
Threat actors are beginning to probe a critical Gitea Docker image flaw, CVE-2026-20896, which can let an unauthenticated attacker impersonate users by abusing the X-WEBAUTH-USER header. The issue affects Gitea Docker images through 1.26.2 and was fixed in 1.26.3 after Sysdig observed the first in-the-wild investigation attempt. #Gitea #CVE-2026-20896 #Sysdig

Keypoints

  • CVE-2026-20896 lets attackers exploit Gitea’s reverse-proxy authentication logic.
  • The Docker images trusted the X-WEBAUTH-USER header from any source IP.
  • The default REVERSE_PROXY_TRUSTED_PROXIES value was hard-coded to β€œ*”.
  • Gitea Docker images up to version 1.26.2 are affected.
  • Sysdig detected the first in-the-wild probing attempt after public disclosure.

Read More: https://thehackernews.com/2026/07/threat-actors-probe-gitea-docker-flaw.html