A critical vulnerability in Gitea – a self-hosted, open-source Git service that your developers may quietly be using – is being targeted in the wild. 

The Gitea vulnerability, allocated CVE-2026-20896 (CVSS 9.8) was patched on June 17. Attacks came 13 days after the initial issue was released.

Initial probing has come via a ProtonVPN IP, 159.26.98[.]241

That’s according to Michael Clark, from cloud security firm Sysdig’s threat intelligence team. Clark suggests that there may be around 6,200 instances of Gitea indexed on Shodan that could be vulnerable to this issue.

The bug was disclosed by  Joshua Martinelle with Tenable and security researcher Ali Mustafa. The vulnerability stems from the fact that the Gitea Docker images shipped a REVERSE_PROXY_TRUSTED_PROXIES = * default.

Gitea vulnerability: Impersonate any user

In short, many organizations run Gitea behind a reverse proxy (like Nginx, Apache, or a dedicated login gateway). This gateway confirms their identity by attaching an HTTP header like, X-WEBAUTH-USER: [username].

But in the pre-packaged Gitea Docker images, the default configuration effectively told Gitea to treat any IP address as a valid reverse proxy. 

If an admin turned on reverse proxy login features but left this trusted proxy list at its default setting, Gitea would trust the identity headers sent by any computer; i.e. any source IP can impersonate a user via X-WEBAUTH-USER header. Gitea versions <=1.26.2 are affected. 1.26.3 is the patched version.

“Any process that can reach the Gitea container's HTTP port directly — not through the intended authenticating proxy — can impersonate any user whose login name is known or guessable. Admin accounts (admin, gitea_admin, etc.) are the obvious targets,” as the patch notes show. 

Sysdig’s Clark commented: “No password. No token. One header. 

Risk of private key leakage

Writing on LinkedIn, he said: “Sysdig sensors caught the first in-the-wild hit 13 days after the advisory, a VPN-exit scanner that grabbed access.

“User access on a Gitea box isn't "a web panel," it's your source code. A Gitea user can read and write their repositories, private ones included: the code they ship, the secrets developers committed by accident (API keys, DB credentials, deploy tokens), their CI/CD config, and deploy keys.”

Users should update and rotate any credentials that may, potentially, have been exposed via Gitea.

If you cannot update right away, modify your Gitea app.ini configuration file. Change REVERSE_PROXY_TRUSTED_PROXIES = * to the specific, trusted internal IP address of your actual reverse proxy server or a specific internal network IP).

The link has been copied!