Threat actors scan for Gitea Docker authentication flaw
🔍 Security researchers report that threat actors have started probing a critical Gitea Docker image vulnerability, CVE-2026-20896 (CVSS 9.8). The flaw arises because the official Docker image sets REVERSE_PROXY_TRUSTED_PROXIES = * by default, allowing unauthenticated clients to send an X-WEBAUTH-USER header and gain elevated access when reverse-proxy authentication is enabled. Gitea patched the issue in version 1.26.3 by removing the wildcard and making reverse-proxy authentication opt-in, and Sysdig observed initial exploitation attempts shortly after disclosure.
