→ Back to Home
Docker

Threat Actors Actively Exploiting Critical Gitea Docker Image Vulnerability

Cloud security firm Sysdig has reported active probing attempts by threat actors targeting CVE-2026-20896, a critical security vulnerability (CVSS score: 9.8) affecting Gitea Docker images. The flaw, disclosed 13 days prior to the observed exploitation, allows unauthenticated internet clients to achieve elevated access. This stems from a misconfiguration in the `app.ini` template within Gitea Docker images, which hard-codes `REVERSE_PROXY_TRUSTED_PROXIES = *` by default. When `ENABLE_REVERSE_PROXY_AUTHENTICATION` is set to true, this wildcard setting allows any source IP to impersonate users by sending an `X-WEBAUTH-USER` header, effectively bypassing authentication. The vulnerability impacts Gitea Docker images up to and including version 1.26.2 and has been addressed in version 1.26.3, released late last month, which removes the wildcard and makes reverse-proxy authentication opt-in. This vulnerability is a high-stakes concern for any organization utilizing Gitea, particularly those leveraging its official Docker images. The ease of exploitation—requiring only a crafted HTTP header—means that internet-facing Gitea instances are at immediate risk. For practitioners, this isn't just a theoretical flaw; it's an actively exploited pathway to unauthorized access, potentially leading to full compromise of source code repositories and associated CI/CD pipelines. The CVSS score of 9.8 underscores the severity, indicating a near-maximum impact with low attack complexity. This incident highlights a recurring theme in cloud-native security: the dangers of insecure default configurations, especially within widely distributed container images. While Gitea's intention for reverse proxy authentication is sound, the default `REVERSE_PROXY_TRUSTED_PROXIES = *` in its Docker image created a significant attack surface. This echoes past vulnerabilities where default settings or overlooked configurations in container environments led to critical exposures. The rapid detection of in-the-wild probing, just days after disclosure, also reinforces the aggressive nature of threat actors in targeting newly revealed vulnerabilities in popular open-source tools. DevOps teams and system administrators running Gitea via Docker must immediately verify their Gitea versions and configurations. The most critical action is to upgrade all affected Gitea Docker instances to version 1.26.3 or newer. For those unable to upgrade immediately, reviewing and explicitly setting `REVERSE_PROXY_TRUSTED_PROXIES` to a secure value (e.g., `127.0.0.0/8,::1/128`) and ensuring `ENABLE_REVERSE_PROXY_AUTHENTICATION` is configured correctly are vital interim steps. Furthermore, this serves as a stark reminder to scrutinize default configurations of all third-party Docker images and applications, implementing a "zero-trust" mindset even for seemingly benign settings. Continuous monitoring for suspicious authentication attempts on Gitea instances is also advisable.
#gitea#docker#security#cve#vulnerability#container security
Read original source