general · MITRE
Gitea Docker image versions up to and including 1.26.2 contain a misconfiguration where REVERSE_PROXY_TRUSTED_PROXIES is set to * by default. This allows any source IP to impersonate users when reverse-proxy authentication headers such as X-WEBAUTH-USER are enabled. According to the CVE record, the vulnerability affects the Gitea Open Source Git Server product. Fixes are available in versions 1.26.3 and later.
Organizations deploying Gitea in containerized environments should review their reverse-proxy configurations and authentication header handling. SaaS teams using Gitea for code hosting should assess whether their deployments have applied patched versions and validate proxy trust settings. Defense contractors and healthcare providers relying on Gitea for internal repositories should prioritize inventory and remediation to prevent unauthorized access to sensitive codebases. An Omniware engagement can scope the risk to your specific deployment architecture and remediation timeline.
Source: MITRE National Vulnerability Database - https://nvd.nist.gov/vuln/detail/CVE-2026-20896
Source: MITRE
All briefings