Close Menu

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    What's Hot

    Hackers exploit critical auth bypass in Gitea Docker image

    July 11, 2026

    ‘Ghostcommit’ hides prompt injection in images to fool AI agents, steal secrets

    July 11, 2026

    Progress urges ShareFile admins to shut down servers over “credible” threat

    July 11, 2026
    Facebook X (Twitter) Instagram
    • Demos
    • Technology
    • Gaming
    • Buy Now
    Facebook X (Twitter) Instagram Pinterest Vimeo
    Canadian Cyber WatchCanadian Cyber Watch
    • Home
    • News
    • Alerts
    • Tips
    • Tools
    • Industry
    • Incidents
    • Events
    • Education
    Subscribe
    Canadian Cyber WatchCanadian Cyber Watch
    Home»News»Hackers exploit critical auth bypass in Gitea Docker image
    News

    Hackers exploit critical auth bypass in Gitea Docker image

    adminBy adminJuly 11, 2026No Comments3 Mins Read
    Share Facebook Twitter Pinterest LinkedIn Tumblr Reddit Telegram Email
    Share
    Facebook Twitter LinkedIn Pinterest Email


    Hackers exploit critical auth bypass in Gitea Docker image

    Hackers are actively exploiting a critical vulnerability in the official Docker image for the Gitea self-hosted Git service that allows attackers to impersonate any user, including administrators.

    The security flaw is an authentication bypass vulnerability, tracked as CVE-2026-20896, that affects deployments using the default configuration, where reverse proxy authentication headers such as X-WEBAUTH-USER are enabled.

    Michael Clark, leading security researcher at Sysdig, confirmed that exploitation of the flaw started less than two weeks before the vulnerability was publicly disclosed.

    image

    Currently, there are around 6,200 Gitea instances exposed on the public web, although it is unclear how many of them are vulnerable.

    “Gitea’s official Docker image ships `REVERSE_PROXY_TRUSTED_PROXIES=*`. With reverse-proxy authentication enabled, Gitea then trusts the `X-WEBAUTH-USER` header from any source IP so an unauthenticated internet client becomes whoever it claims to be,” Clark warned.

    “No password. No token. One header. Sysdig sensors caught the first in-the-wild hit 13 days after the advisory, a VPN-exit scanner that grabbed access.”

    Gitea is an open-source self-hosted alternative to GitHub and GitLab, used to store source code, manage pull requests, collaborate, deploy, and perform CI/CD operations.

    Gitea’s official Docker image configured reverse-proxy authentication to trust identity headers from any client IP address rather than only from trusted reverse proxies, allowing unauthenticated attackers to impersonate arbitrary users.

    The CVE-2026-20896 critical bug affects the official Gitea Docker images up to and including version 1.26.2 in the default configuration.

    The maintainer shared the steps to reproduce it, warning that “any process that can reach the Gitea container’s HTTP port directly – not through the intended authenticating proxy – can impersonate any user whose login name is known or guessable. Admin accounts (admin, gitea_admin, etc.) are the obvious targets.”

    Gitea released versions 1.26.3 and 1.26.4 that address CVE-2026-20896 and advised users to upgrade straight to the most recent release, which fixes an additional issue and a regression introduced in 1.26.3.

    Singapore’s cybersecurity agency (CSA) has also issued a warning about CVE-2026-20896 being actively exploited.

    If upgrading to a safe version is not possible, CSA recommends restricting the REVERSE_PROXY_TRUSTED_PROXIES setting to specific trusted IP addresses instead of the default wildcard (*).

    The agency also recommended reviewing access logs for any suspicious activity to determine if a compromise has already occurred.


    article image

    Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.

    The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.

    Get the whitepaper



    Source link

    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
    Previous Article‘Ghostcommit’ hides prompt injection in images to fool AI agents, steal secrets
    admin
    • Website

    Related Posts

    News

    ‘Ghostcommit’ hides prompt injection in images to fool AI agents, steal secrets

    July 11, 2026
    News

    Progress urges ShareFile admins to shut down servers over “credible” threat

    July 11, 2026
    News

    Behind the Blog: The Promise of the Internet

    July 10, 2026
    Add A Comment

    Comments are closed.

    Demo
    Top Posts

    Catchy & Intriguing

    March 17, 202677 Views

    The Canadian Password Playbook: Navigating Compliance and Building Strong Passwords

    March 25, 202634 Views

    IP Address Investigations and Local OSINT

    March 20, 202633 Views
    Stay In Touch
    • Facebook
    • YouTube
    • TikTok
    • WhatsApp
    • Twitter
    • Instagram
    Latest Reviews
    85
    Featured

    Pico 4 Review: Should You Actually Buy One Instead Of Quest 2?

    January 15, 2021 Featured
    8.1
    Uncategorized

    A Review of the Venus Optics Argus 18mm f/0.95 MFT APO Lens

    January 15, 2021 Uncategorized
    8.9
    Editor's Picks

    DJI Avata Review: Immersive FPV Flying For Drone Enthusiasts

    January 15, 2021 Editor's Picks

    Subscribe to Updates

    Get the latest tech news from FooBar about tech, design and biz.

    Demo
    Most Popular

    Catchy & Intriguing

    March 17, 202677 Views

    The Canadian Password Playbook: Navigating Compliance and Building Strong Passwords

    March 25, 202634 Views

    IP Address Investigations and Local OSINT

    March 20, 202633 Views
    Our Picks

    Hackers exploit critical auth bypass in Gitea Docker image

    July 11, 2026

    ‘Ghostcommit’ hides prompt injection in images to fool AI agents, steal secrets

    July 11, 2026

    Progress urges ShareFile admins to shut down servers over “credible” threat

    July 11, 2026

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    Facebook X (Twitter) Instagram Pinterest
    • Home
    • Technology
    • Gaming
    • Phones
    • Buy Now
    © 2026 ThemeSphere. Designed by ThemeSphere.

    Type above and press Enter to search. Press Esc to cancel.