The Circuitry
THE CIRCUITRYYour one-stop source for all tech news
HOMETODAYNEWSFEEDEVENTS
BOOKMARKS
RSS
© 2026 The Circuitry
About UsSourcesContactCorrectionsPrivacy
  • Today
  • Feed
  • Events
  • Saved
Scroll for more
Verification
VERIFIEDConfidence: HIGH
Source identified
Claims cross-referenced
No discrepancies found
Fact-check summary

The Hacker News, Security Affairs, SecurityWeek, and SC Media corroborate active exploitation of CVE-2026-20896 in Gitea Docker images, citing Sysdig telemetry and the GitHub advisory.

Sourcing
4independent sources

via BleepingComputer

BleepingComputer · track record
63Stories
100%Verified
3430d
All sources →
Home/Tech/Hackers exploit critical auth bypass in Gitea Docker image
VERIFIEDBy Xavier Rivera· ·2 min read

Hackers exploit critical auth bypass in Gitea Docker image

Attackers are exploiting CVE-2026-20896 in Gitea’s official Docker image to impersonate any user via a single trusted header. The critical flaw affects default configurations of instances up to version 1.26.2, prompting urgent upgrades to 1.26.4 and log reviews.

Source:BleepingComputer
Post
Hackers exploit critical auth bypass in Gitea Docker image
TL;DRAI · 60 sec read

Attackers exploit a critical auth bypass in Gitea’s official Docker image via the X-WEBAUTH-USER header. The flaw lets outsiders impersonate any user on default configs up to version 1.26.2. Exploitation started 13 days after disclosure across thousands of exposed instances. Patches in 1.26.3 and later make reverse proxy auth opt-in to block repo and credential theft.

Attackers are actively exploiting a critical authentication bypass flaw in the official Docker image of the Gitea self-hosted Git service. The issue lets unauthenticated outsiders impersonate any user, including administrators.

Exploitation of CVE-2026-20896 began less than two weeks after public disclosure. Michael Clark, lead security researcher at Sysdig, reported that in-the-wild activity started 13 days after the advisory. Sysdig sensors recorded the first hit originating from a VPN-exit scanner that leveraged the flaw to gain access.
Consequently, any unauthenticated client on the internet can assume the identity of any user whose login name is known or can be guessed.
The vulnerability affects deployments running the default configuration that enables reverse proxy authentication headers such as X-WEBAUTH-USER. Gitea’s official Docker image ships with the setting REVERSE_PROXY_TRUSTED_PROXIES=*, which causes the application to trust the X-WEBAUTH-USER header from any source IP address. Consequently, any unauthenticated client on the internet can assume the identity of any user whose login name is known or can be guessed.

Approximately 6,200 Gitea instances are exposed on the public web. It remains unclear how many run the vulnerable default configuration. The flaw is present in official Gitea Docker images up to and including version 1.26.2.
From The CircuitryThe Feed — live briefs across tech, all day.See what’s happening →
Gitea is an open-source self-hosted alternative to GitHub and GitLab. Organizations rely on it to store source code, manage pull requests, collaborate on projects, deploy applications, and run CI/CD operations. Successful impersonation can give attackers access to repositories, secrets, API keys, and credentials.
Successful impersonation can give attackers access to repositories, secrets, API keys, and credentials.
Gitea has released patched versions that eliminate the bypass. Versions 1.26.3 and 1.26.4 address CVE-2026-20896. The maintainer recommends upgrading directly to the latest release, which also fixes an additional issue and a regression introduced in 1.26.3. In the patched releases, reverse-proxy authentication is now opt-in rather than enabled by default.

Singapore’s cybersecurity agency has warned of active exploitation and issued mitigation guidance. If immediate upgrading is not possible, the CSA recommends restricting the REVERSE_PROXY_TRUSTED_PROXIES setting to specific trusted IP addresses instead of the wildcard *. The agency also advised organizations to review access logs for suspicious activity that could indicate a prior compromise.
The maintainer previously shared reproduction steps warning that "any process that can reach the Gitea container's HTTP port directly - not through the intended authenticating proxy - can impersonate any user whose login name is known or guessable. Admin accounts (admin, gitea_admin, etc.) are the obvious targets."

EXPERT TAKE

Organizations running self-hosted Gitea must treat the REVERSE_PROXY_TRUSTED_PROXIES wildcard as an immediate exposure vector and move to explicit IP allow-lists or the latest patched release.

Why this mattersAI · ~100 words

Tap a lens to see what this story means for you.

Reader-supported
DonateBuy me a coffee →Follow@thecircuitry_ →Follow@thecircuitry.to →

Reader-supported · Daily Brief

Daily brief at 7 AM ET. Top tech stories, every morning. Sourced and fact-checked.

HELP US IMPROVE
From The Circuitry

See what’s happening right now

The Feed runs all day — short, verified briefs the moment they break.

Open the Feed →
From The Circuitry

Follow @thecircuitry_

Every story we publish, as it happens. No noise between.

Follow on X ↗On Bluesky ↗

Reader-supported

The Circuitry is a passion project I've always wanted to build, and I love the work behind it.

Running it costs real money. APIs, hosting, time. To keep improving the site and growing this into something useful for everyone, those costs have to be covered.

Any contribution is appreciated. If not, no pressure. Thanks for reading.

Buy me a coffee
GiteaDockerVulnerabilitySecurity
More fromBleepingComputer
  • Progress tells ShareFile on-premises users to power down servers over reported threat

    Tech · 3h
  • CISA tells federal agencies to fix actively exploited Langflow IDOR flaw by Friday

    Tech · 2d
  • KDDI breach hits email platform used by five Japanese ISPs

    Tech · 2d
More inTech
  • Netflix, Sony and Paramount in talks to buy Letterboxd

    Tech · 1h
  • Progress tells ShareFile on-premises users to power down servers over reported threat

    Tech · 3h
  • China imposes temporary helium export ban

    Tech · 3h
SupportThe Work

The Circuitry is reader-supported. If you find the daily brief useful, you can buy me a coffee to keep it going.

Buy a coffee →
SubscribeCircuitry Brief

Daily brief at 7 AM ET. Top tech stories, every morning.

MORE IN TECH

Netflix, Sony and Paramount in talks to buy Letterboxd

Netflix, Sony Pictures, Paramount Skydance, TPG and Alexis Ohanian are in early talks to buy a controlling stake in Letterboxd from its majority owner Tiny. The film social network has grown to more than 30 million members, but a studio takeover would raise fresh concerns about conflicts of interest on a key review platform.

Progress tells ShareFile on-premises users to power down servers over reported threat

Progress Software has begun contacting organizations that run Storage Zone Controllers for its ShareFile platform, directing them to turn off the associated Windows servers at once because of what the firm calls a "credible external security threat" aimed at the on-premises component. Cloud access has been blocked as a precaution while the company and outside experts investigate.

China imposes temporary helium export ban

China enacted a temporary helium export ban on July 10, 2026 to safeguard domestic supplies amid ongoing Middle East supply risks. The step highlights concerns over prolonged global shortages of the irreplaceable gas used in chipmaking and medical imaging.