Attackers are exploiting CVE-2026-20896 in Gitea’s official Docker image to impersonate any user via a single trusted header. The critical flaw affects default configurations of instances up to version 1.26.2, prompting urgent upgrades to 1.26.4 and log reviews.

Consequently, any unauthenticated client on the internet can assume the identity of any user whose login name is known or can be guessed.
Successful impersonation can give attackers access to repositories, secrets, API keys, and credentials.
Organizations running self-hosted Gitea must treat the REVERSE_PROXY_TRUSTED_PROXIES wildcard as an immediate exposure vector and move to explicit IP allow-lists or the latest patched release.
Tap a lens to see what this story means for you.
Reader-supported · Daily Brief
Daily brief at 7 AM ET. Top tech stories, every morning. Sourced and fact-checked.
See what’s happening right now
The Feed runs all day — short, verified briefs the moment they break.
Open the FeedFollow @thecircuitry_
Every story we publish, as it happens. No noise between.
Reader-supported
The Circuitry is a passion project I've always wanted to build, and I love the work behind it.
Running it costs real money. APIs, hosting, time. To keep improving the site and growing this into something useful for everyone, those costs have to be covered.
Any contribution is appreciated. If not, no pressure. Thanks for reading.
Netflix, Sony Pictures, Paramount Skydance, TPG and Alexis Ohanian are in early talks to buy a controlling stake in Letterboxd from its majority owner Tiny. The film social network has grown to more than 30 million members, but a studio takeover would raise fresh concerns about conflicts of interest on a key review platform.
Progress Software has begun contacting organizations that run Storage Zone Controllers for its ShareFile platform, directing them to turn off the associated Windows servers at once because of what the firm calls a "credible external security threat" aimed at the on-premises component. Cloud access has been blocked as a precaution while the company and outside experts investigate.
China enacted a temporary helium export ban on July 10, 2026 to safeguard domestic supplies amid ongoing Middle East supply risks. The step highlights concerns over prolonged global shortages of the irreplaceable gas used in chipmaking and medical imaging.