Find notable cyber news and cases, enriched with sources, timelines, and signals.

Gitea Docker images X-WEBAUTH-USER header trust bypass (CVE-2026-20896)

Vulnerability
First reported
Last updated
Happening score
H score 38
1 unique sources, 1 articles

Summary

Hide ▲

Researchers observed in-the-wild probing of CVE-2026-20896 in Gitea Docker images 13 days after disclosure, turning a recently patched critical authentication bypass into an immediate risk for exposed deployments. The flaw affects versions before and including 1.26.2 and stems from the image trusting the X-WEBAUTH-USER header from any source IP that can reach the container. That design lets a direct client impersonate a known or guessable username, and with auto-registration enabled an attacker can reach admin access by using an admin login name. The issue was fixed in 1.26.3, and there are about 6,200 internet-facing Gitea instances in the exposed population.

Related Happenings

RunC user namespaces and rootless containers mitigation

Advisory/Mitigation
H score21 First: 09.11.2025 17:11 Last: 09.11.2025 17:11 Sources 1

About this happening: RunC developers shared **mitigation actions** for the newly disclosed **runC** flaws that can let attackers **bypass isolation** and reach the **host system**. The core recommenda...

Timeline

  1. 06.07.2026 19:28 2 articles · 3d ago

    Sysdig detects first probing of CVE-2026-20896 against Gitea Docker images

    Exploitation Observed

    Sysdig detected the first in-the-wild attempt to probe CVE-2026-20896 against Gitea Docker images 13 days after public disclosure. The activity came from 159.26.98[.]241 on the ProtonVPN service and, so far, remained initial investigation without exploitation or attack progress. The flaw affects Gitea Docker images versions before and including 1.26.2, and version 1.26.3 removes the wildcard trust and makes reverse-proxy authentication opt-in.

    Show sources