Reverse Proxy Vulnerability in Gitea Docker Image Affects User Authentication
CVE-2026-20896
9.8CRITICAL
What is CVE-2026-20896?
The Gitea Docker image is susceptible to a security issue where the configuration REVERSE_PROXY_TRUSTED_PROXIES is set to '*' by default. This improper configuration allows any source IP address to impersonate a user when reverse-proxy authentication headers, such as X-WEBAUTH-USER, are enabled. Consequently, this vulnerability can lead to unauthorized access if exploited, posing a significant risk to user security. Users are advised to ensure proper configuration to mitigate this issue and consider upgrading to the latest version.
Affected Version(s)
Gitea Open Source Git Server 0 <= 1.26.2
