A critical vulnerability in Gitea's reverse-proxy authentication mechanism is being actively exploited by malicious actors. This flaw, identified as CVE-2026-20896, allows unauthorized access to Gitea instances via a single HTTP header when only a valid username is provided. The vulnerability is particularly severe in Gitea's Docker images prior to version 1.26.3, where default settings inadvertently permit connections from any IP address without enforcing an allowlist.

Security researcher Ali Mustafa discovered the issue, noting that when Gitea is placed behind a proxy, it should only trust headers set by the proxy if reverse-proxy authentication is enabled. This flaw enables attackers who can provide a valid username in a header to bypass authentication and access vulnerable instances. The potential for impersonation is high, especially for admin accounts which are primary targets.

The vulnerability was patched in Gitea versions 1.26.3 and 1.26.4, which now make reverse-proxy authentication an opt-in feature. Exploitation of this flaw began just 13 days after its public disclosure, with attackers using a VPN-exit scanner to gain unauthorized access. Michael Clark from Sysdig highlighted that their sensors detected the first exploitation in the wild shortly after the advisory was issued.

Approximately 6,200 Gitea instances are currently accessible from the internet, though the exact number of vulnerable instances remains unknown. Users are strongly urged to update their Gitea deployments immediately to prevent potential compromises. Successful exploitation could lead to attackers gaining complete control over repositories and accessing sensitive information like API keys and database credentials.