Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.
9.8

CVE-2026-20896: Gitea Docker Image Allows Impersonation via Reverse-Proxy Headers

CVE-2026-20896 CVE-2026-20896
Summary

Gitea's Docker image has a security setting that allows anyone to pretend to be a user when using certain reverse-proxy authentication headers. This is a concern because it could be used to access user accounts or sensitive data. To fix this, update to a newer version of Gitea that doesn't have this setting enabled by default.

What to do

No fix is available yet. Check with your software vendor for updates.

Affected software
VendorProductAffected versions
gitea gitea open source git server <= 1.26.2
Original title
Gitea Docker image versions up to and including 1.26.2 use REVERSE_PROXY_TRUSTED_PROXIES=* by default, allowing any source IP to impersonate a user when reverse-proxy authentication headers such as...
Original description
Gitea Docker image versions up to and including 1.26.2 use REVERSE_PROXY_TRUSTED_PROXIES=* by default, allowing any source IP to impersonate a user when reverse-proxy authentication headers such as X-WEBAUTH-USER are enabled.
mitre CVSS3.1 9.8
Vulnerability type
CWE-284 Improper Access Control
Published: 3 Jul 2026 · Updated: 5 Jul 2026 · First seen: 3 Jul 2026