Zero Day MonitorZDM
DashboardVulnerabilitiesTrendingZero-DaysNewsAbout
Login
ImpressumPrivacy Policy
Zero Day Monitor © 2026
3087 articles · 172015 vulns · 37/41 feeds (7d)
← Back to list
9.8
CVE-2026-20896EXPLOITEDPATCHED
gitea · gitea

Gitea Docker image trusts spoofable reverse-proxy headers by default

Description

Gitea Docker image versions up to and including 1.26.2 use REVERSE_PROXY_TRUSTED_PROXIES=* by default, allowing any source IP to impersonate a user when reverse-proxy authentication headers such as X-WEBAUTH-USER are enabled.

Affected Products

VendorProductVersions
giteagitea0, 1.26.3, 1.26.4

References

  • https://github.com/go-gitea/gitea/security/advisories/GHSA-f75j-4cw6-rmx4(vendor-advisory)
  • https://github.com/go-gitea/gitea/pull/38151(patch)
  • https://github.com/go-gitea/gitea/releases/tag/v1.26.3(release-notes)
  • https://blog.gitea.com/release-of-1.26.3-and-1.26.4/(release-notes)

Related News (4 articles)

Tier D
SecurityWeek3h ago
Critical Gitea Flaw Under Active Exploitation, Researchers Warn
→ No new info (linked only)
Tier E
Reddit r/cybersecurity1d ago
Exploitarium coverage update: CVE-2026-20896 Gitea probing confirmed + 10 new rules added
→ No new info (linked only)
Tier D
The Hacker News1d ago
Threat Actors Probe Gitea Docker Flaw CVE-2026-20896 13 Days After Disclosure
→ No new info (linked only)
Tier C
VulDB3d ago
CVE-2026-20896 | Gitea up to 1.26.2 access control (GHSA-f75j-4cw6-rmx4)
→ No new info (linked only)
CVSS 3.19.8 CRITICAL
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA KEV❌ No
Actively exploited✅ Yes
Patch available
https://github.com/go-gitea/gitea/security/advisories/GHSA-f75j-4cw6-rmx4https://github.com/go-gitea/gitea/pull/38151
CWECWE-284
PublishedJul 3, 2026
Last enriched2h agov3
Trending Score91
Source articles4
Independent4
Info Completeness10/14
Missing: epss, kev, iocs, mitre_attack

Community Vote

0
Login to vote
0 upvotes0 downvotes
No votes yet

Related CVEs (5)

CRITICALCVE-2026-26247EXP
Gitea OAuth2 PKCE S256 challenges are not enforced during token exchange
Trending: 62
CRITICALCVE-2026-26292EXP
Gitea LFS mirror synchronization bypasses migration HTTP transport restrictions
Trending: 62
CRITICALCVE-2026-26232EXP
Gitea OAuth2 authorization codes lack expiry and reuse enforcement
Trending: 62
HIGHCVE-2026-27660EXP
Gitea draft releases use insufficient permission checks
Trending: 56
CRITICALCVE-2026-22547
Gitea repository creation accepts invalid field values
Trending: 49

Pin to Dashboard

Verification

State: unverified
Confidence: 0%

Vulnerability Timeline

CVE Published
Jul 3, 2026
Discovered by ZDM
Jul 3, 2026
Updated: exploitAvailable, activelyExploited
Jul 6, 2026
Actively Exploited
Jul 7, 2026
Exploit Available
Jul 7, 2026
Patch Available
Jul 7, 2026
Updated: affectedVersions
Jul 7, 2026

Version History

v3
Last enriched 2h ago
v3Tier D2h ago

Added affected versions 1.26.3 and 1.26.4, and updated patch information to reflect the new versions.

affectedVersions
via SecurityWeek
v2Tier D1d ago

Updated exploit availability to true and marked the vulnerability as actively exploited.

exploitAvailableactivelyExploited
via The Hacker News
v13d ago

Initial creation