Security researchers are warning of active exploitation of an almost perfect-10 vulnerability in code repository management platform, Gitea.
CVE-2026-20896 was patched in releases 1.26.3 and Gitea 1.26.4, which were made available on June 21; however, 13 days later, hackers are targeting the bypass authentication flaw.
“CVE-2026-20896 exploited 13 days after disclosure. One HTTP header. Access on any internet-facing Gitea,” warned Michael Clark, Threat Research Director at cloud security firm Sysdig.
The issue, according to Clark, is that Gitea’s Docker image ships with reverse-proxy authentication enabled, which in turn leads to Gitea trusting any source IP address “so an unauthenticated internet client becomes whoever it claims to be,” including admin.
“No password. No token. One header. Sysdig sensors caught the first in-the-wild hit 13 days after the advisory, a VPN-exit scanner that grabbed access,” Clark said.
Clark said that once authenticated, a malicious user could then gain read and write access to code and anything else accidentally committed to the repository, such as database credentials, API keys, and deploy tokens.
Security researcher Ali Mustafa, who found and reported the flaw, goes into more detail about how it works.
“The documented-safe default, the one in app.example.ini, is 127.0.0.0/8,::1/128: loopback only, so out of the box just the local proxy is trusted. The official Docker image doesn't use that. Its app.ini template hard-codes * (docker/root/etc/templates/app.ini:55, and docker/rootless/etc/templates/app.ini:52 for the rootless image). * matches every source IP, so the allowlist check does nothing. Turn on reverse-proxy login and now anyone who can reach the port can send the header, not just your proxy. With auto-registration on, the account is created on the spot. Send an admin's username and you're the admin.”
As of two days ago, connected device search engine Shodan was indexing more than 6,000 internet-facing Gitea instances, Clark said.
Want to see more stories from trusted news sources?Make Cyber Daily a preferred news source on Google.
David Hollingworth
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.