Threat Actors Begin Scanning for Gitea Docker Flaw CVE-2026-20896 Soon After Disclosure

Security researchers say attackers have already started looking for exposed Gitea instances vulnerable to a critical flaw in the platform’s Docker images, just under two weeks after the issue was made...

Security researchers say attackers have already started looking for exposed Gitea instances vulnerable to a critical flaw in the platform’s Docker images, just under two weeks after the issue was made public.

The bug, tracked as CVE-2026-20896 and rated 9.8 on the CVSS scale, affects Gitea Docker builds released before and including version 1.26.2. According to the advisory, the problem centers on reverse-proxy authentication settings that can be abused when the service trusts the X-WEBAUTH-USER header from an untrusted source.

Ali Mustafa, the researcher credited with finding the issue, said the Docker image shipped with an app.ini template that set REVERSE_PROXY_TRUSTED_PROXIES to a wildcard value by default. In practice, that means any client able to reach the application directly could potentially impersonate a user by sending a crafted header. If self-registration is enabled, an attacker who claims an administrator-style username may even gain elevated access.

Gitea’s documented safe configuration limits trusted proxies to localhost addresses, but the Docker image did not follow that guidance. The software maker addressed the issue in version 1.26.3, released late last month, by removing the wildcard default and making reverse-proxy authentication an explicit choice.

Cloud security firm Sysdig reported that it observed the first probe tied to this flaw 13 days after disclosure. The activity appeared to be early-stage reconnaissance rather than a full intrusion attempt. Sysdig said the request came from an IP address associated with the ProtonVPN service, and noted that the behavior had not yet advanced into exploitation.

What organizations should know

  • Gitea Docker images through 1.26.2 are affected.
  • Instances exposed to the internet may be at higher risk.
  • Administrators should upgrade to 1.26.3 or later as soon as possible.
  • Teams using reverse-proxy authentication should review trusted proxy settings and access paths.

Researchers estimate there are roughly 6,200 internet-facing Gitea instances, underscoring the need for rapid patching and configuration review.