Threat Actors Probe Gitea Docker Flaw CVE-2026-20896 13 Days After Disclosure
Threat Actors Probe Gitea Docker Flaw CVE-2026-20896 13 Days After Disclosure
Threat actors have been observed attempting to exploit a recently patched critical security flaw in Gitea Docker images, according to Sysdig. The vulnerability in question is CVE-2026-20896 (CVSS score: 9.8), a vulnerability that stems from the DevOps platform trusting the X-WEBAUTH-USER header from any source IP address, effectively allowing an unauthenticated internet client to get elevated access.
In a statement shared with The Hacker News via email, security researcher Ali Mustafa (@rz1027), who is credited with discovering and reporting the flaw, said the Gitea Docker images shipped an app.ini template that hard-codes REVERSE_PROXY_TRUSTED_PROXIES = * by default. The app.ini file is a core configuration file for managing server parameters, database connections, security behavior, and application settings.
"With reverse-proxy login enabled, that wildcard trusts every source IP, so anyone who could reach the port could send an X-WEBAUTH-USER header and be authenticated as any user, with no password and no token," Mustafa explained. "With auto-registration on, an admin username gives admin."
It's worth noting that the documented safe value for the REVERSE_PROXY_TRUSTED_PROXIES internal variable is 127.0.0.0/8,::1/128, meaning only localhost (the loopback interface) is allowed as a trusted proxy server. However, the official Docker image doesn't use this default, hard-coding * instead. In other words, the allowlist check is as good as not having it.
Thus, when an admin sets ENABLE_REVERSE_PROXY_AUTHENTICATION = true to put Gitea behind an authenticating reverse proxy and leaves the REVERSE_PROXY_TRUSTED_PROXIES setting to its default value, it allows an X-WEBAUTH-USER custom HTTP header from any source IP that can reach the container.
"Any process that can reach the Gitea container's HTTP port directly โ not through the intended authenticating proxy โ can impersonate any user whose login name is known or guessable," according to Gitea's advisory. "Admin accounts (admin, gitea_admin, etc.) are the obvious targets."
The vulnerability affects Gitea Docker images versions before and including 1.26.2. It has been addressed in version 1.26.3 released late last month, with the * wildcard now removed and reverse-proxy authentication made opt-in.
Cloud security company Sysdig has since revealed it detected the first in-the-wild exploitation attempt 13 days after public disclosure of the vulnerability. There are about 6,200 internet-facing Gitea instances.
"So far, the activities have been related to initial investigation by the threat actor," Michael Clark, senior director of threat research at Sysdig, told The Hacker News. "While we saw the first action from an IP from the ProtonVPN service, 159.26.98[.]241 it has not so far progressed to any exploitation or attack progress. We think this is because we have seen this one early before it has had the chance to develop beyond that initial phase."
Given the severity of the issue, it's essential that users apply the fixes as soon as possible for optimal protection.
Comments
No comments yet. Start the discussion.