Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.8
CVE-2026-20896: Gitea Docker Image Allows Impersonation via Reverse-Proxy Headers
CVE-2026-20896
CVE-2026-20896
Summary
Gitea's Docker image has a security setting that allows anyone to pretend to be a user when using certain reverse-proxy authentication headers. This is a concern because it could be used to access user accounts or sensitive data. To fix this, update to a newer version of Gitea that doesn't have this setting enabled by default.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions |
|---|---|---|
| gitea | gitea open source git server | <= 1.26.2 |
Original title
Gitea Docker image versions up to and including 1.26.2 use REVERSE_PROXY_TRUSTED_PROXIES=* by default, allowing any source IP to impersonate a user when reverse-proxy authentication headers such as...
Original description
Gitea Docker image versions up to and including 1.26.2 use REVERSE_PROXY_TRUSTED_PROXIES=* by default, allowing any source IP to impersonate a user when reverse-proxy authentication headers such as X-WEBAUTH-USER are enabled.
mitre CVSS3.1
9.8
Vulnerability type
CWE-284
Improper Access Control
Published: 3 Jul 2026 · Updated: 5 Jul 2026 · First seen: 3 Jul 2026