Threat Actors Probe Gitea Docker Flaw CVE-2026-20896 Just 13 Days After Disclosure
Exploitation attempts for a critical Gitea Docker image vulnerability (CVE-2026-20896) have been observed just 13 days after its public disclosure, highlighting the rapid pace of threat actor activity.

Threat actors are actively probing Gitea Docker images for CVE-2026-20896, a critical vulnerability with a CVSS score of 9.8, according to recent analysis by Sysdig. This flaw allows unauthenticated internet clients to gain elevated privileges by exploiting the platform's trust in the "X-WEBAUTH-USER" header from any IP address. The exploitation attempts were detected a mere 13 days after the vulnerability's disclosure, underscoring the urgency for users to apply patches.
The vulnerability stems from Gitea Docker images shipping an "app.ini" template that hard-codes "REVERSE_PROXY_TRUSTED_PROXIES = *" by default. This configuration, when reverse-proxy login is enabled, trusts any source IP address. Consequently, any unauthenticated internet client capable of reaching the Gitea container's HTTP port can send a crafted "X-WEBAUTH-USER" header to authenticate as any user, bypassing password and token requirements. If auto-registration is also enabled, an attacker can easily gain administrative privileges by impersonating an administrator account.
Security researcher Ali Mustafa, who discovered the flaw, explained that the default configuration effectively removes any security benefit from the "REVERSE_PROXY_TRUSTED_PROXIES" setting. The intended secure value for this setting is typically restricted to localhost addresses (e.g., "127.0.0.0/8,::1/128"), ensuring that only trusted local proxies can inject authentication headers. However, the official Docker image's default of "*" negates this protection, allowing any external source to impersonate users.
According to Gitea's own advisory, the vulnerability affects Gitea Docker images versions prior to and including 1.26.2. The issue has since been addressed in version 1.26.3, which was released late last month. The updated version removes the problematic "*" wildcard and makes reverse-proxy authentication an opt-in feature, requiring explicit configuration rather than relying on insecure defaults.
Sysdig's threat research team has reported detecting the initial exploitation attempts originating from an IP address associated with the ProtonVPN service. While these initial activities appear to be reconnaissance and probing rather than full-blown exploitation, they signal that threat actors are actively testing vulnerable systems. With an estimated 6,200 internet-facing Gitea instances, the potential attack surface is significant.
Michael Clark, senior director of threat research at Sysdig, noted that the observed activities have so far been limited to initial investigation. "While we saw the first action from an IP from the ProtonVPN service, 159.26.98[.]241 it has not so far progressed to any exploitation or attack progress. We think this is because we have seen this one early before it has had the chance to develop beyond that initial phase," Clark stated.
The rapid emergence of exploitation attempts following the disclosure of CVE-2026-20896 highlights a persistent trend in the cybersecurity landscape: vulnerabilities, especially those with high CVSS scores and straightforward exploitation paths, are quickly targeted by malicious actors. The DevOps ecosystem, with its interconnected tools and services, remains a prime target for attackers seeking to gain access to sensitive code repositories and development pipelines.
Given the critical nature of this vulnerability and the observed in-the-wild probing, it is imperative for organizations using Gitea Docker images to update to version 1.26.3 or later immediately. Implementing proper security configurations for reverse proxies and regularly auditing system settings are crucial steps to mitigate the risk of such attacks and protect development environments.