Ptechhub
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
PtechHub
No Result
View All Result

Threat Actors Probe Gitea Docker Flaw CVE-2026-20896 13 Days After Disclosure

The Hacker News by The Hacker News
July 6, 2026
Home Cybersecurity
Share on FacebookShare on Twitter


Ravie LakshmananJul 06, 2026Vulnerability / DevOps

Threat actors have been observed attempting to exploit a recently patched critical security flaw in Gitea Docker images, according to Sysdig.

The vulnerability in question is CVE-2026-20896 (CVSS score: 9.8), a vulnerability that stems from the DevOps platform trusting the “X-WEBAUTH-USER” header from any source IP address, effectively allowing an unauthenticated internet client to get elevated access.

In a statement shared with The Hacker News via email, security researcher Ali Mustafa (@rz1027), who is credited with discovering and reporting the flaw, said the Gitea Docker images shipped an “app.ini” template that hard-codes “REVERSE_PROXY_TRUSTED_PROXIES = *” by default. The “app.ini” file is a core configuration file for managing server parameters, database connections, security behavior, and application settings.

“With reverse-proxy login enabled, that wildcard trusts every source IP, so anyone who could reach the port could send an X-WEBAUTH-USER header and be authenticated as any user, with no password and no token,” Mustafa explained. “With auto-registration on, an admin username gives admin.”

It’s worth noting that the documented safe value for the “REVERSE_PROXY_TRUSTED_PROXIES” internal variable is “127.0.0.0/8,::1/128,” meaning only localhost aka the loopback interface, is allowed as a trusted proxy server. However, the official Docker image doesn’t use this default, hard-coding “*” instead. In other words, the allowlist check is as good as not having it.

Thus, when an admin sets “ENABLE_REVERSE_PROXY_AUTHENTICATION = true” to put Gitea behind an authenticating reverse proxy and leaves the “REVERSE_PROXY_TRUSTED_PROXIES” setting to its default value, it allows a X-WEBAUTH-USER custom HTTP header from any source IP that can reach the container.

“Any process that can reach the Gitea container’s HTTP port directly – not through the intended authenticating proxy – can impersonate any user whose login name is known or guessable,” according to Gitea’s advisory. “Admin accounts (admin, gitea_admin, etc.) are the obvious targets.”

The vulnerability affects Gitea Docker images versions before and including 1.26.2. It has been addressed in version 1.26.3 released late last month, with the “*” wildcard now removed and reverse-proxy authentication made opt-in.

Cloud security company Sysdig has since revealed it detected the first in-the-wild exploitation attempt 13 days after public disclosure of the vulnerability. There are about 6,200 internet-facing Gitea instances.

“So far, the activities have been related to initial investigation by the threat actor,” Michael Clark, senior director of threat research at Sysdig, told The Hacker News.

“While we saw the first action from an IP from the ProtonVPN service, 159.26.98[.]241  it has not so far progressed to any exploitation or attack progress. We think this is because we have seen this one early before it has had the chance to develop beyond that initial phase.”

Given the severity of the issue, it’s essential that users apply the fixes as soon as possible for optimal protection.



Source link

The Hacker News

The Hacker News

Next Post
Trump Accounts boost? Here’s how much money will flow into stock market from the new program

Trump Accounts boost? Here's how much money will flow into stock market from the new program

Recommended.

Zdieľanie prosperity v inteligentnej ére: Čínske medzinárodné fórum inteligentnej komunikácie 2025 sa konalo vo Wuxi

Zdieľanie prosperity v inteligentnej ére: Čínske medzinárodné fórum inteligentnej komunikácie 2025 sa konalo vo Wuxi

November 11, 2025
Nvidia GTC 2026: HPE Unveils Vera Rubin Systems, Expands Private Cloud AI Portfolio

Nvidia GTC 2026: HPE Unveils Vera Rubin Systems, Expands Private Cloud AI Portfolio

March 16, 2026

Trending.

AWS Vs. Google Cloud Vs. Microsoft Azure Q1 Earnings Face-Off

AWS Vs. Google Cloud Vs. Microsoft Azure Q1 Earnings Face-Off

May 1, 2026
Cloud Market Share Q1 2026: AWS, Microsoft, Google Battling In AI Era

Cloud Market Share Q1 2026: AWS, Microsoft, Google Battling In AI Era

May 4, 2026
Google’s 0 Million Partner Fund Targets AI Agent Era Channel Paradigm Shift

Google’s $750 Million Partner Fund Targets AI Agent Era Channel Paradigm Shift

April 24, 2026
AWS Solution Provider Caylent Unveils Dedicated Anthropic Claude Unit

AWS Solution Provider Caylent Unveils Dedicated Anthropic Claude Unit

April 30, 2026
Dell’s Infrastructure Blitz: Private Cloud, PowerStore Elite, PowerEdge In Spotlight At Dell Technologies World 2026

Dell’s Infrastructure Blitz: Private Cloud, PowerStore Elite, PowerEdge In Spotlight At Dell Technologies World 2026

May 19, 2026

PTechHub

A tech news platform delivering fresh perspectives, critical insights, and in-depth reporting — beyond the buzz. We cover innovation, policy, and digital culture with clarity, independence, and a sharp editorial edge.

Follow Us

Industries

  • AI & ML
  • Cybersecurity
  • Enterprise IT
  • Finance
  • Telco

Navigation

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Subscribe to Our Newsletter

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Copyright © 2025 | Powered By Porpholio

No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs

Copyright © 2025 | Powered By Porpholio