Reverse Proxy Vulnerability in Gitea Docker Image Affects User Authentication
CVE-2026-20896

9.8CRITICAL

Key Information:

Vendor

Gitea

Vendor
CVE Published:
3 July 2026

What is CVE-2026-20896?

The Gitea Docker image is susceptible to a security issue where the configuration REVERSE_PROXY_TRUSTED_PROXIES is set to '*' by default. This improper configuration allows any source IP address to impersonate a user when reverse-proxy authentication headers, such as X-WEBAUTH-USER, are enabled. Consequently, this vulnerability can lead to unauthorized access if exploited, posing a significant risk to user security. Users are advised to ensure proper configuration to mitigate this issue and consider upgrading to the latest version.

Affected Version(s)

Gitea Open Source Git Server 0 <= 1.26.2

References

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

rz1027
.