Skip to main content

Gitea CVE-2026-20896

| EUVDEUVD-2026-41614 CRITICAL
Improper Access Control (CWE-284)
2026-07-03 Gitea
9.8
CVSS 3.1 · Vendor: Gitea
Share

Severity by source

Vendor (Gitea) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
9.8 CRITICAL

When reverse-proxy auth is enabled, any network client can spoof the trusted header without privileges or interaction, so PR:N/UI:N and full C/I/A; the config precondition affects applicability, not base metrics.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Gitea).

CVSS VectorVendor: Gitea

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jul 03, 2026 - 21:00 vuln.today
CVE Published
Jul 03, 2026 - 20:19 cve.org
CRITICAL 9.8

DescriptionCVE.org

Gitea Docker image versions up to and including 1.26.2 use REVERSE_PROXY_TRUSTED_PROXIES=* by default, allowing any source IP to impersonate a user when reverse-proxy authentication headers such as X-WEBAUTH-USER are enabled.

AnalysisAI

Reverse-proxy authentication bypass in the official Gitea Docker image (versions up to and including 1.26.2) allows any source IP to impersonate arbitrary users because the image ships with REVERSE_PROXY_TRUSTED_PROXIES=* by default. When an operator enables reverse-proxy header authentication (e.g. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach Gitea instance over network
Delivery
Craft HTTP request with forged X-WEBAUTH-USER header
Exploit
Wildcard trusted-proxy accepts spoofed identity
Execution
Obtain impersonated (admin) session
Impact
Full repository and account takeover

Vulnerability AssessmentAI

Exploitation Exploitation requires that the operator has enabled Gitea's reverse-proxy authentication feature (the ENABLE_REVERSE_PROXY_AUTHENTICATION path using headers such as X-WEBAUTH-USER) while running the official Docker image with its default REVERSE_PROXY_TRUSTED_PROXIES=* setting, AND that the attacker can send HTTP requests to the Gitea instance directly rather than being forced through the legitimate proxy. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The supplied CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, base 9.8) reflects the worst case: once reverse-proxy auth is enabled, a network attacker with no privileges or user interaction can impersonate any user, including admins, yielding full confidentiality, integrity and availability impact over the repositories. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An organization runs the Gitea Docker image behind a reverse proxy with X-WEBAUTH-USER authentication enabled but leaves the default REVERSE_PROXY_TRUSTED_PROXIES=*. An attacker who can reach the Gitea service directly sends an HTTP request with a forged X-WEBAUTH-USER: admin header; because all source IPs are trusted, Gitea accepts the identity and grants the attacker that user's session, leading to repository and administrative takeover. …
Remediation Vendor-released patch: upgrade to Gitea 1.26.3 (or later, e.g. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all Gitea Docker deployments running versions 1.26.2 or earlier and audit reverse-proxy authentication configuration status (check REVERSE_PROXY_TRUSTED_PROXIES setting and X-WEBAUTH-USER header usage). …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Docker

View all
CVE-2024-55964 CRITICAL POC
9.8 Mar 26

An issue was discovered in Appsmith before 1.52. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl

CVE-2019-5736 HIGH POC
8.6 Feb 11

runc through version 1.0-rc6 (used in Docker before 18.09.2) contains a container escape vulnerability that allows attac

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2026-34156 CRITICAL POC
9.9 Mar 30

Remote code execution in NocoBase Workflow Script Node (npm @nocobase/plugin-workflow-javascript) allows authenticated l

CVE-2025-34221 CRITICAL POC
10.0 Sep 29

Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.2.169 and Application prior to version 2

CVE-2025-23211 CRITICAL POC
9.9 Jan 28

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Rated critical seve

CVE-2025-66570 CRITICAL POC
10.0 Dec 05

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.27.0, a vulnerability allow

CVE-2026-47668 CRITICAL POC
10.0 Jun 05

Unauthenticated remote code execution in DbGate (npm package dbgate-serve, versions <= 7.1.8) lets remote attackers exec

CVE-2025-56157 CRITICAL POC
9.8 Dec 18

Hard-coded default PostgreSQL credentials shipped in the docker-compose.yaml of langgenius Dify through version 1.5.1 al

CVE-2026-24841 CRITICAL POC
9.9 Jan 28

Dokploy self-hosted PaaS prior to 0.26.6 has a critical command injection vulnerability (CVSS 9.9) allowing authenticate

CVE-2026-33309 CRITICAL POC
9.9 Mar 19

An authenticated path traversal vulnerability in Langflow's file upload functionality allows attackers to write arbitrar

CVE-2026-24740 CRITICAL POC
9.9 Jan 27

Critical access control flaw in Dozzle Docker log viewer allows users restricted by label filters to escape their scope

Share

CVE-2026-20896 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy