Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Critical Gitea Flaw Under Active Exploitation, Researchers Warn

Attackers are exploiting the critical Gitea vulnerability CVE-2026-20896 to bypass authentication with a single HTTP header and access vulnerable repositories and secrets.

Threat actors are exploiting a vulnerability in Gitea’s reverse-proxy authentication mechanism to access internet-accessible instances by supplying only a valid username.

Specific to Gitea’s official Docker images, the critical-severity security defect is tracked as CVE-2026-20896 (CVSS score of 9.8) and can be exploited with a single HTTP header, Sysdig Sr. Director of Threat Research Michael Clark says.

The issue exists because, in Gitea Docker images before 1.26.3, the default settings allow connections from any source IP address instead of enforcing an allowlist, security researcher Ali Mustafa, who was credited for finding the bug, explains.

If placed behind a proxy, Gitea should trust only a header set by the proxy when reverse-proxy authentication is enabled. Because of the flaw, anyone who could provide a valid username in a header could connect to a vulnerable instance, bypassing authentication.

“Any process that can reach the Gitea container’s HTTP port directly — not through the intended authenticating proxy — can impersonate any user whose login name is known or guessable. Admin accounts are the obvious targets,” the researcher notes.

The patch that was introduced in Gitea versions 1.26.3 / 1.26.4 makes reverse-proxy authentication an opt-in feature.

Advertisement. Scroll to continue reading.

According to Clark, CVE-2026-20896’s exploitation started 13 days after public disclosure. The attempt was associated with a “VPN-exit scanner that grabbed access”.

“No password. No token. One header. Sysdig sensors caught the first in-the-wild hit 13 days after the advisory,” Clark notes.

While Sysdig’s research revealed approximately 6,200 Gitea instances accessible from the internet, it is unclear how many of them are vulnerable.

Users are advised to update their Gitea deployments as soon as possible, as the successful exploitation of the vulnerability could lead to the complete compromise of all the code and secrets Gitea holds.

“A Gitea user can read and write their repositories, private ones included: the code they ship, the secrets developers committed by accident (API keys, DB credentials, deploy tokens), their CI/CD config, and deploy keys,” Clark notes.

Related: Critical Adobe ColdFusion Vulnerability Exploited in Attacks

Related: CISA Warns of Actively Exploited Microsoft SharePoint Vulnerability

Related: Apple Patches Dozens of Vulnerabilities Across iOS, macOS, and Safari

Related: Gitea Vulnerability Exposed 30,000 Deployments to Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

Sherrod DeGrippo has been appointed Head of Threat Intelligence for Palo Alto Networks Unit 42.

Christopher Porter has joined Booz Allen Hamilton as Global Chief Information Security Officer.

Yael Ben Arie has joined exposure validation company Pentera as Chief Product Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.