🔴 Critical  |  Source: The Hacker News


A critical vulnerability (CVE-2026-20896, CVSS 9.8) in Gitea Docker images allows unauthenticated attackers to gain elevated privileges by spoofing the X-WEBAUTH-USER HTTP header, which Gitea trusts from any source IP. Active exploitation attempts have been observed just 13 days after public disclosure, indicating rapid uptake by threat actors. Organisations running Gitea in Docker environments are at immediate risk of full account takeover without requiring any credentials.

Security Architect’s Take: Patch Gitea Docker deployments to the latest version immediately and, as a belt-and-braces measure, ensure X-WEBAUTH-USER header stripping is enforced at your ingress or reverse proxy layer so external traffic cannot inject trusted authentication headers. Audit your container registry and CI/CD pipelines for any exposed Gitea instances and review access logs for anomalous authentication events dating back to initial disclosure.

Original advisory: Threat Actors Probe Gitea Docker Flaw CVE-2026-20896 13 Days After Disclosure