Description
Gitea Docker image versions up to and including 1.26.2 use REVERSE_PROXY_TRUSTED_PROXIES=* by default, allowing any source IP to impersonate a user when reverse-proxy authentication headers such as X-WEBAUTH-USER are enabled.
Published: 2026-07-03
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw allows an attacker to specify any user identity in a forwarded header such as X‑WEBAUTH‑USER when the Gitea Docker image is configured with REVERSE_PROXY_TRUSTED_PROXIES=* by default. Because the application accepts the value of this header unfiltered, an attacker can impersonate any registered user, including administrators, and perform actions with elevated privileges. This results in unauthorized code commits, repository manipulation, and potentially broader system compromise, violating confidentiality, integrity, and availability. The weakness is a classic access‑control violation (CWE‑284).

Affected Systems

Vendors: Gitea. Product: Gitea Open Source Git Server. Versions: Docker images up to and including 1.26.2 are affected; newer releases (1.26.3 and later) contain the fix.

Risk and Exploitability

The CVSS score of 9.8 indicates a critical impact. EPSS is not available, so the current exploitation probability is unknown, and the vulnerability is not listed in CISA KEV. The likely attack vector is a malicious client that sends a forged X‑WEBAUTH‑USER header to a Gitea instance behind an arbitrary reverse proxy that the image trusts because REVERSE_PROXY_TRUSTED_PROXIES is set to *.

Generated by OpenCVE AI on July 4, 2026 at 16:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Gitea v1.26.3 or later in the Docker image
  • If upgrade is not currently feasible, restrict REVERSE_PROXY_TRUSTED_PROXIES to only the IP addresses of your trusted reverse proxy (do not use '*')
  • Disable or remove reverse‑proxy authentication headers such as X‑WEBAUTH‑USER if your deployment does not use authenticated reverse proxies

Generated by OpenCVE AI on July 4, 2026 at 16:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 03 Jul 2026 20:45:00 +0000

Type Values Removed Values Added
Description Gitea Docker image versions up to and including 1.26.2 use REVERSE_PROXY_TRUSTED_PROXIES=* by default, allowing any source IP to impersonate a user when reverse-proxy authentication headers such as X-WEBAUTH-USER are enabled.
Title Gitea Docker image trusts spoofable reverse-proxy headers by default
Weaknesses CWE-284
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Gitea

Published:

Updated: 2026-07-03T20:19:29.588Z

Reserved: 2026-03-03T03:25:59.988Z

Link: CVE-2026-20896

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-04T16:45:03Z

Weaknesses