Summary
Gitea patched a critical authentication bypass vulnerability (CVE-2026-20896) in its Docker images that allows attackers to impersonate any user with a single HTTP header. The flaw is being exploited in the wild.
Take Action:
If you self-host Gitea, first make sure it's isolated from the internet and reachable only from trusted networks, then update to version 1.26.3 or later ASAP. If you can't update immediately, edit your app.ini to change REVERSE_PROXY_TRUSTED_PROXIES from * to your actual reverse proxy's specific IP address, and rotate all credentials and secrets stored in your repositories.
Read the full article on BeyondMachines
This article was originally published on BeyondMachines
Top comments (0)