Impact
The flaw allows an attacker to specify any user identity in a forwarded header such as X‑WEBAUTH‑USER when the Gitea Docker image is configured with REVERSE_PROXY_TRUSTED_PROXIES=* by default. Because the application accepts the value of this header unfiltered, an attacker can impersonate any registered user, including administrators, and perform actions with elevated privileges. This results in unauthorized code commits, repository manipulation, and potentially broader system compromise, violating confidentiality, integrity, and availability. The weakness is a classic access‑control violation (CWE‑284).
Affected Systems
Vendors: Gitea. Product: Gitea Open Source Git Server. Versions: Docker images up to and including 1.26.2 are affected; newer releases (1.26.3 and later) contain the fix.
Risk and Exploitability
The CVSS score of 9.8 indicates a critical impact. EPSS is not available, so the current exploitation probability is unknown, and the vulnerability is not listed in CISA KEV. The likely attack vector is a malicious client that sends a forged X‑WEBAUTH‑USER header to a Gitea instance behind an arbitrary reverse proxy that the image trusts because REVERSE_PROXY_TRUSTED_PROXIES is set to *.
OpenCVE Enrichment