Security Affairs
Critical Gitea Docker Bug Under Active Exploitation Exposes Repositories and Secrets|Spanish Police Arrest Man Linked to CARR, Z-Pentest, and NoName057(16)|Hidden Tenda Router Backdoor Grants Admin Access, No Patch Available|AI-Generated Malware Powers New Armored Likho APT Campaign|Januscape: 16-Year-Old Linux KVM Bug Enables Cloud VM Escape Attacks|Adobe ColdFusion flaw CVE-2026-48282 now exploited in the wild|Hidden Web Prompts Trick AI Agents Into Sending Money|Seven Bugs in FatFs Put IoT and Embedded Devices at Risk|Bad Epoll Flaw Gives Attackers Root Access on Linux and Android|Medtronic Notifies 3.8 Million After ShinyHunters Data Breach|SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 104|Security Affairs newsletter Round 584 by Pierluigi Paganini – INTERNATIONAL EDITION|Critical Gitea Docker Bug Under Active Exploitation Exposes Repositories and Secrets|Spanish Police Arrest Man Linked to CARR, Z-Pentest, and NoName057(16)|Hidden Tenda Router Backdoor Grants Admin Access, No Patch Available|AI-Generated Malware Powers New Armored Likho APT Campaign|Januscape: 16-Year-Old Linux KVM Bug Enables Cloud VM Escape Attacks|Adobe ColdFusion flaw CVE-2026-48282 now exploited in the wild|Hidden Web Prompts Trick AI Agents Into Sending Money|Seven Bugs in FatFs Put IoT and Embedded Devices at Risk|Bad Epoll Flaw Gives Attackers Root Access on Linux and Android|Medtronic Notifies 3.8 Million After ShinyHunters Data Breach|SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 104|Security Affairs newsletter Round 584 by Pierluigi Paganini – INTERNATIONAL EDITION|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Critical Gitea Docker Bug Under Active Exploitation Exposes Repositories and Secrets

Attackers are exploiting a critical Gitea flaw (CVE-2026-20896) that bypasses authentication with a single HTTP header, exposing repositories and sensitive data. Sysdig researchers warn that attackers are actively exploiting a critical authentication bypass flaw, tracked as CVE-2026-20896 (CVSS score of 9.8), which affects Gitea official Docker images before version 1.26.3. “CVE-2026-20896 exploited 13 days after […]

Gitea

Attackers are exploiting a critical Gitea flaw (CVE-2026-20896) that bypasses authentication with a single HTTP header, exposing repositories and sensitive data.

Sysdig researchers warn that attackers are actively exploiting a critical authentication bypass flaw, tracked as CVE-2026-20896 (CVSS score of 9.8), which affects Gitea official Docker images before version 1.26.3.

“CVE-2026-20896 exploited 13 days after disclosure. One HTTP header. Access on any internet-facing Gitea.” Sysdig Sr. Director of Threat Research Michael Clark wrote. “No password. No token. One header. Sysdig sensors caught the first in-the-wild hit 13 days after the advisory, a VPN-exit scanner that grabbed access.”

Attackers can bypass authentication and gain access to internet-facing Gitea instances, including repositories and sensitive secrets, by sending a single crafted HTTP header with a valid username. The flaw is caused by insecure default settings that accept connections from any IP address instead of restricting access to trusted reverse proxies.

“Gitea’s official Docker image (up to and including 1.26.2) ships REVERSE_PROXY_TRUSTED_PROXIES = * in its default config. If you turn on reverse-proxy login, that wildcard means every source IP is treated as a trusted proxy, so anyone who can reach the port can send an X-WEBAUTH-USER header and get logged in as whoever they want.” reported security researcher Ali Mustafa, who discovered the issue. “No password, no token.”

Gitea can use a reverse proxy to authenticate users by trusting the X-WEBAUTH-USER HTTP header, but only if the request comes from a trusted proxy. Normally, this is protected by an IP allowlist that, by default, trusts only the local machine. However, the official Gitea Docker images are misconfigured: they trust requests from any IP address. As a result, if reverse-proxy authentication is enabled, anyone who can reach the Gitea server can send a crafted HTTP header, impersonate any user, and even gain administrator access. The flaw affects only the official Docker images, not standard or self-built Gitea installations that use the secure default configuration.

“Any process that can reach the Gitea container’s HTTP port directly — not through the intended authenticating proxy — can impersonate any user whose login name is known or guessable.” the researcher said. “Admin accounts are the obvious targets,”

Gitea versions 1.26.3 and 1.26.4 make reverse-proxy authentication an opt-in feature, fixing the flaw.

According to Sysdig, a Shodan query identified around 6,200 internet-exposed Gitea instances, although the number of vulnerable systems remains unknown. Users should update immediately to protect their code and secrets.

“User access on a Gitea box isn’t “a web panel,” it’s your source code.” Clark concluded. “A Gitea user can read and write their repositories, private ones included: the code they ship, the secrets developers committed by accident (API keys, DB credentials, deploy tokens), their CI/CD config, and deploy keys.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CVE-2026-20896)