Active Exploitation Reported for Critical Gitea Authentication Flaw

Security researchers say attackers are already taking advantage of a critical vulnerability in Gitea that can let them bypass authentication on exposed instances and reach private repositories and sen...

Security researchers say attackers are already taking advantage of a critical vulnerability in Gitea that can let them bypass authentication on exposed instances and reach private repositories and sensitive credentials.

The flaw, tracked as CVE-2026-20896, affects Gitea’s official Docker images before version 1.26.3 and carries a CVSS score of 9.8. According to researchers, the issue stems from the way reverse-proxy authentication was configured by default. In affected deployments, Gitea accepted traffic from any source IP address rather than limiting trust to a proxy allowlist, creating a path for abuse if the service was reachable directly.

In practice, an attacker who knows or can guess a valid username may be able to send a single HTTP header and impersonate that user. Sysdig researcher Michael Clark said telemetry showed the first observed exploitation attempt occurred 13 days after the vulnerability was publicly disclosed and appeared to come from a scanner using a VPN exit node.

Ali Mustafa, who discovered the problem, explained that reverse-proxy authentication is supposed to rely on headers added by the trusted proxy. Because the affected configuration trusted requests too broadly, a direct connection to the Gitea container’s HTTP port could allow an attacker to log in as another user without a password or token.

Why it matters

If successful, the attack could expose or alter a wide range of development assets, including:

  • Private and public source code repositories
  • Accidentally committed secrets such as API keys and database credentials
  • CI/CD configuration files
  • Deployment keys and other access material

Researchers said they identified roughly 6,200 Gitea instances that were reachable from the internet, though not all are necessarily vulnerable. Administrators are being urged to patch quickly, since compromise of a Gitea server can give an intruder broad access to code and secrets stored in the platform.

Gitea versions 1.26.3 and 1.26.4 change the behavior so reverse-proxy authentication must be enabled explicitly. Until systems are updated, organizations are advised to restrict exposure of Gitea services and ensure only the intended proxy can communicate with the application.