CVE-2026-20896: Gitea Docker image trusts spoofable reverse-proxy headers by default
Gitea Docker image versions up to and including 1.26.2 use REVERSE_PROXY_TRUSTED_PROXIES=* by default, allowing any source IP to impersonate a user when reverse-proxy authentication headers such as X-WEBAUTH-USER are enabled.
Metrics
- CVSS v3.1
- 9.8
- Severity
- CRITICAL
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
This is an authentication bypass vulnerability in the official Gitea Docker image (versions up to and including 1.26.2). The image ships with REVERSE_PROXY_TRUSTED_PROXIES=* by default, meaning any remote host on the network can send an X-WEBAUTH-USER header and impersonate any Gitea account, including site administrators, without supplying credentials. Successful exploitation gives an attacker full read and write access to all repositories and user data, and can crash or corrupt the service. HarborGuard tracks this advisory for patch availability and will make a patched-image rebuild available the moment an upstream fix is published.
HarborGuard Coverage
Detection of CVE-2026-20896 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including internally built images that extend the official Gitea base. Both registry scans and in-pipeline image checks are covered.
AvailableTriage is available with a CVSS v3.1 score of 9.8 (Critical), weighted further by any per-environment compliance policies each customer has configured. Findings are routed to the inbox or ticketing integration the customer has designated for Critical-severity issues.
AvailableNo upstream fix version has been published for this CVE. HarborGuard re-checks the Gitea advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. For customers with auto-remediation enabled, the rebuild, a regression-test run, and a PR against affected workloads will be triggered without manual intervention.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The attacker must be able to send HTTP requests to the Gitea service over the network; any host that can reach the exposed port is a potential source of spoofed headers.
- AuthenticationNot required
No credentials are needed; the default REVERSE_PROXY_TRUSTED_PROXIES=* configuration causes Gitea to accept identity headers from any source without verification.
- Victim interactionNot required
No user action is needed; the attacker sends a crafted request directly to the Gitea endpoint and the server processes it immediately.
- Attack complexityDetail
The exploit is reliable and condition-free: the attacker only needs to set an HTTP header to an arbitrary username, with no race conditions or environmental dependencies.
Blast Radius
- Reads any repository content, including private repositories and stored secrets committed to code.
- Modifies or deletes repository data, branches, and releases across any project on the instance.
- Impersonates administrators to change user accounts, revoke access, or alter site-wide settings.
- Disrupts service availability by abusing administrative APIs to corrupt configuration or exhaust resources.
How HarborGuard Handles This
Available on HarborGuard: continuous monitoring of the Gitea advisory for CVE-2026-20896 on every ingest cycle, with automatic detection of all image tags at or below version 1.26.2. Because no upstream fix exists at this time, HarborGuard cannot yet offer an automated patched-image rebuild; however, the rebuild will become available the moment Gitea publishes a fix, and customers with auto-remediation enabled will receive the rebuild, regression-test run, and a PR against affected workloads without any manual steps. In the interim, customers can reduce exposure through several compensating controls: apply a strict network policy to limit which source IPs can reach the Gitea service; set REVERSE_PROXY_TRUSTED_PROXIES explicitly to only the IP or CIDR of your actual reverse proxy rather than the wildcard default; disable X-WEBAUTH-USER header-based authentication entirely if reverse-proxy auth is not in active use; and use egress filtering to prevent lateral movement if the service is compromised. HarborGuard will surface updated guidance in the finding detail as the advisory status changes.
- Gitea / Gitea Open Source Git Server≤ 1.26.2
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H