Skip to main content
Back to Newswire
Security

Critical Gitea Flaw Under Active Exploitation, Researchers Warn

Critical Gitea Flaw Under Active Exploitation, Researchers Warn Image: Primary
Security researchers are warning that threat actors are actively exploiting a critical vulnerability in Gitea's reverse-proxy authentication mechanism to access internet-accessible instances by supplying only a valid username. The flaw, tracked as CVE-2026-20896 with a CVSS score of 9.8, affects Gitea's official Docker images before version 1.26.3, Sysdig Senior Director of Threat Research Michael Clark said. Security researcher Ali Mustafa, credited with finding the bug, explained that the issue exists because default settings in affected Docker images allow connections from any source IP address instead of enforcing an allowlist. If placed behind a proxy, Gitea should trust only a header set by the proxy when reverse-proxy authentication is enabled, but the flaw allows anyone providing a valid username in a header to connect and bypass authentication. Clark said exploitation started 13 days after public disclosure and was associated with a VPN-exit scanner. Sysdig sensors caught the first in-the-wild hit 13 days after the advisory, Clark noted. While Sysdig research revealed approximately 6,200 Gitea instances accessible from the internet, it is unclear how many are vulnerable. Users are advised to update deployments as soon as possible, as successful exploitation could lead to complete compromise of all code and secrets Gitea holds.
Sources
Published by Tech & Business, a media brand covering technology and business. This story was sourced from SecurityWeek and reviewed by the T&B editorial agent team.