Close Menu
  • Home
  • News
  • Cyber Security
  • Internet of Things
  • Tips and Advice

Subscribe to Updates

Get the latest creative news from FooBar about art, design and business.

What's Hot

NHS Warns Staff Over Unauthorized Access to Patient Data

July 11, 2026

Threat Actors Probe Gitea Docker Flaw CVE-2026-20896 13 Days After Disclosure

July 11, 2026

New Ransomware Exploits Malicious Driver to Remove Security Protection

July 11, 2026
Facebook X (Twitter) Instagram
Saturday, July 11
Facebook X (Twitter) Instagram Pinterest Vimeo
Cyberwire Daily
  • Home
  • News
  • Cyber Security
  • Internet of Things
  • Tips and Advice
Cyberwire Daily
Home»News»Threat Actors Probe Gitea Docker Flaw CVE-2026-20896 13 Days After Disclosure
News

Threat Actors Probe Gitea Docker Flaw CVE-2026-20896 13 Days After Disclosure

Team-CWDBy Team-CWDJuly 11, 2026No Comments3 Mins Read
Share Facebook Twitter Pinterest LinkedIn Tumblr Reddit Telegram Email
Share
Facebook Twitter LinkedIn Pinterest Email


Threat actors have been observed attempting to exploit a recently patched critical security flaw in Gitea Docker images, according to Sysdig.

The vulnerability in question is CVE-2026-20896 (CVSS score: 9.8), a vulnerability that stems from the DevOps platform trusting the “X-WEBAUTH-USER” header from any source IP address, effectively allowing an unauthenticated internet client to get elevated access.

In a statement shared with The Hacker News via email, security researcher Ali Mustafa (@rz1027), who is credited with discovering and reporting the flaw, said the Gitea Docker images shipped an “app.ini” template that hard-codes “REVERSE_PROXY_TRUSTED_PROXIES = *” by default. The “app.ini” file is a core configuration file for managing server parameters, database connections, security behavior, and application settings.

“With reverse-proxy login enabled, that wildcard trusts every source IP, so anyone who could reach the port could send an X-WEBAUTH-USER header and be authenticated as any user, with no password and no token,” Mustafa explained. “With auto-registration on, an admin username gives admin.”

It’s worth noting that the documented safe value for the “REVERSE_PROXY_TRUSTED_PROXIES” internal variable is “127.0.0.0/8,::1/128,” meaning only localhost, aka the loopback interface, is allowed as a trusted proxy server. However, the official Docker image doesn’t use this default, hard-coding “*” instead. In other words, the allowlist check is as good as not having it.

Thus, when an admin sets “ENABLE_REVERSE_PROXY_AUTHENTICATION = true” to put Gitea behind an authenticating reverse proxy and leaves the “REVERSE_PROXY_TRUSTED_PROXIES” setting to its default value, it allows a X-WEBAUTH-USER custom HTTP header from any source IP that can reach the container.

“Any process that can reach the Gitea container’s HTTP port directly – not through the intended authenticating proxy – can impersonate any user whose login name is known or guessable,” according to Gitea’s advisory. “Admin accounts (admin, gitea_admin, etc.) are the obvious targets.”

The vulnerability affects Gitea Docker images versions before and including 1.26.2. It has been addressed in version 1.26.3 released late last month, with the “*” wildcard now removed and reverse-proxy authentication made opt-in.

Cloud security company Sysdig has since revealed it detected the first in-the-wild exploitation attempt 13 days after public disclosure of the vulnerability. There are about 6,200 internet-facing Gitea instances.

“So far, the activities have been related to initial investigation by the threat actor,” Michael Clark, senior director of threat research at Sysdig, told The Hacker News.

“While we saw the first action from an IP from the ProtonVPN service, 159.26.98[.]241, it has not so far progressed to any exploitation or attack progress. We think this is because we have seen this one early before it has had the chance to develop beyond that initial phase.”

Given the severity of the issue, it’s essential that users apply the fixes as soon as possible for optimal protection.



Source

Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
Previous ArticleNew Ransomware Exploits Malicious Driver to Remove Security Protection
Next Article NHS Warns Staff Over Unauthorized Access to Patient Data
Team-CWD
  • Website

Related Posts

News

NHS Warns Staff Over Unauthorized Access to Patient Data

July 11, 2026
News

New ‘GigaWiper’ Malware Combines Espionage & Destructive Capabilities

July 10, 2026
News

Proxy Botnets, Browser Ransomware, AI Agent Tricks, Fake PoC Malware and More

July 10, 2026
Add A Comment
Leave A Reply Cancel Reply

Latest News

North Korean Hackers Turn JSON Services into Covert Malware Delivery Channels

November 24, 202523 Views

macOS Stealer Campaign Uses “Cracked” App Lures to Bypass Apple Securi

September 7, 202517 Views

North Korean Hackers Target Crypto Firms with ClickFix and Zoom Lures

April 29, 202610 Views

Why SOC Burnout Can Be Avoided: Practical Steps

November 14, 20259 Views

Cyber M&A Roundup: Cyber Giants Strengthen AI Security Offerings

December 1, 20258 Views
Stay In Touch
  • Facebook
  • YouTube
  • TikTok
  • WhatsApp
  • Twitter
  • Instagram
Most Popular

North Korean Hackers Turn JSON Services into Covert Malware Delivery Channels

November 24, 202523 Views

macOS Stealer Campaign Uses “Cracked” App Lures to Bypass Apple Securi

September 7, 202517 Views

North Korean Hackers Target Crypto Firms with ClickFix and Zoom Lures

April 29, 202610 Views
Our Picks

Find your weak spots before attackers do

November 21, 2025

Why geopolitical turmoil is a gift for scammers, and how to stay safe

May 15, 2026

A stealthy RAT burrowing deep into Android devices

May 26, 2026

Subscribe to Updates

Get the latest news from cyberwiredaily.com

Facebook X (Twitter) Instagram Pinterest
  • Home
  • Contact
  • Privacy Policy
  • Terms of Use
  • California Consumer Privacy Act (CCPA)
© 2026 All rights reserved.

Type above and press Enter to search. Press Esc to cancel.