Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
When reverse-proxy auth is enabled, any network client can spoof the trusted header without privileges or interaction, so PR:N/UI:N and full C/I/A; the config precondition affects applicability, not base metrics.
Primary rating from Vendor (Gitea).
CVSS VectorVendor: Gitea
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Gitea Docker image versions up to and including 1.26.2 use REVERSE_PROXY_TRUSTED_PROXIES=* by default, allowing any source IP to impersonate a user when reverse-proxy authentication headers such as X-WEBAUTH-USER are enabled.
Articles & Coverage 1
AnalysisAI
Reverse-proxy authentication bypass in the official Gitea Docker image (versions up to and including 1.26.2) allows any source IP to impersonate arbitrary users because the image ships with REVERSE_PROXY_TRUSTED_PROXIES=* by default. When an operator enables reverse-proxy header authentication (e.g. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the operator has enabled Gitea's reverse-proxy authentication feature (the ENABLE_REVERSE_PROXY_AUTHENTICATION path using headers such as X-WEBAUTH-USER) while running the official Docker image with its default REVERSE_PROXY_TRUSTED_PROXIES=* setting, AND that the attacker can send HTTP requests to the Gitea instance directly rather than being forced through the legitimate proxy. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The supplied CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, base 9.8) reflects the worst case: once reverse-proxy auth is enabled, a network attacker with no privileges or user interaction can impersonate any user, including admins, yielding full confidentiality, integrity and availability impact over the repositories. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An organization runs the Gitea Docker image behind a reverse proxy with X-WEBAUTH-USER authentication enabled but leaves the default REVERSE_PROXY_TRUSTED_PROXIES=*. An attacker who can reach the Gitea service directly sends an HTTP request with a forged X-WEBAUTH-USER: admin header; because all source IPs are trusted, Gitea accepts the identity and grants the attacker that user's session, leading to repository and administrative takeover. … |
| Remediation | Vendor-released patch: upgrade to Gitea 1.26.3 (or later, e.g. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all Gitea Docker deployments running versions 1.26.2 or earlier and audit reverse-proxy authentication configuration status (check REVERSE_PROXY_TRUSTED_PROXIES setting and X-WEBAUTH-USER header usage). …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
An issue was discovered in Appsmith before 1.52. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl
runc through version 1.0-rc6 (used in Docker before 18.09.2) contains a container escape vulnerability that allows attac
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
Remote code execution in NocoBase Workflow Script Node (npm @nocobase/plugin-workflow-javascript) allows authenticated l
Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.2.169 and Application prior to version 2
Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Rated critical seve
cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.27.0, a vulnerability allow
Unauthenticated remote code execution in DbGate (npm package dbgate-serve, versions <= 7.1.8) lets remote attackers exec
Hard-coded default PostgreSQL credentials shipped in the docker-compose.yaml of langgenius Dify through version 1.5.1 al
Dokploy self-hosted PaaS prior to 0.26.6 has a critical command injection vulnerability (CVSS 9.9) allowing authenticate
An authenticated path traversal vulnerability in Langflow's file upload functionality allows attackers to write arbitrar
Critical access control flaw in Dozzle Docker log viewer allows users restricted by label filters to escape their scope
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41614