Threat actors are beginning to probe a critical Gitea Docker image flaw, CVE-2026-20896, which can let an unauthenticated attacker impersonate users by abusing the X-WEBAUTH-USER header. The issue affects Gitea Docker images through 1.26.2 and was fixed in 1.26.3 after Sysdig observed the first in-the-wild investigation attempt. #Gitea #CVE-2026-20896 #Sysdig
Keypoints
- CVE-2026-20896 lets attackers exploit Giteaβs reverse-proxy authentication logic.
- The Docker images trusted the X-WEBAUTH-USER header from any source IP.
- The default REVERSE_PROXY_TRUSTED_PROXIES value was hard-coded to β*β.
- Gitea Docker images up to version 1.26.2 are affected.
- Sysdig detected the first in-the-wild probing attempt after public disclosure.
Read More: https://thehackernews.com/2026/07/threat-actors-probe-gitea-docker-flaw.html