HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-20896Published Modified CNA Gitea

CVE-2026-20896: Gitea Docker image trusts spoofable reverse-proxy headers by default

Gitea Docker image versions up to and including 1.26.2 use REVERSE_PROXY_TRUSTED_PROXIES=* by default, allowing any source IP to impersonate a user when reverse-proxy authentication headers such as X-WEBAUTH-USER are enabled.

Metrics

CVSS v3.1
9.8
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is an authentication bypass vulnerability in the official Gitea Docker image (versions up to and including 1.26.2). The image ships with REVERSE_PROXY_TRUSTED_PROXIES=* by default, meaning any remote host on the network can send an X-WEBAUTH-USER header and impersonate any Gitea account, including site administrators, without supplying credentials. Successful exploitation gives an attacker full read and write access to all repositories and user data, and can crash or corrupt the service. HarborGuard tracks this advisory for patch availability and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection of CVE-2026-20896 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including internally built images that extend the official Gitea base. Both registry scans and in-pipeline image checks are covered.

Available
Triage

Triage is available with a CVSS v3.1 score of 9.8 (Critical), weighted further by any per-environment compliance policies each customer has configured. Findings are routed to the inbox or ticketing integration the customer has designated for Critical-severity issues.

Available
Patch

No upstream fix version has been published for this CVE. HarborGuard re-checks the Gitea advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. For customers with auto-remediation enabled, the rebuild, a regression-test run, and a PR against affected workloads will be triggered without manual intervention.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must be able to send HTTP requests to the Gitea service over the network; any host that can reach the exposed port is a potential source of spoofed headers.

  • AuthenticationNot required

    No credentials are needed; the default REVERSE_PROXY_TRUSTED_PROXIES=* configuration causes Gitea to accept identity headers from any source without verification.

  • Victim interactionNot required

    No user action is needed; the attacker sends a crafted request directly to the Gitea endpoint and the server processes it immediately.

  • Attack complexityDetail

    The exploit is reliable and condition-free: the attacker only needs to set an HTTP header to an arbitrary username, with no race conditions or environmental dependencies.

Blast Radius

  • Reads any repository content, including private repositories and stored secrets committed to code.
  • Modifies or deletes repository data, branches, and releases across any project on the instance.
  • Impersonates administrators to change user accounts, revoke access, or alter site-wide settings.
  • Disrupts service availability by abusing administrative APIs to corrupt configuration or exhaust resources.

How HarborGuard Handles This

Available on HarborGuard: continuous monitoring of the Gitea advisory for CVE-2026-20896 on every ingest cycle, with automatic detection of all image tags at or below version 1.26.2. Because no upstream fix exists at this time, HarborGuard cannot yet offer an automated patched-image rebuild; however, the rebuild will become available the moment Gitea publishes a fix, and customers with auto-remediation enabled will receive the rebuild, regression-test run, and a PR against affected workloads without any manual steps. In the interim, customers can reduce exposure through several compensating controls: apply a strict network policy to limit which source IPs can reach the Gitea service; set REVERSE_PROXY_TRUSTED_PROXIES explicitly to only the IP or CIDR of your actual reverse proxy rather than the wildcard default; disable X-WEBAUTH-USER header-based authentication entirely if reverse-proxy auth is not in active use; and use egress filtering to prevent lateral movement if the service is compromised. HarborGuard will surface updated guidance in the finding detail as the advisory status changes.

See how HarborGuard automates this
Affected packages
  • Gitea / Gitea Open Source Git Server
    ≤ 1.26.2
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H