Threat Actors Probe Gitea Docker Flaw (CVE-2026-20896) 13 Days Post-Disclosure
Threat actors have been observed attempting to exploit a critical Gitea Docker flaw (CVE-2026-20896) that allows unauthenticated clients to gain elevated access by impersonating any user. The vulnerability stems from a misconfigured default setting in the 'app.ini' file, which allows any process to impersonate any user if reverse-proxy authentication is enabled.
Threat actors have been observed attempting to exploit a recently patched critical security flaw in Gitea Docker images, according to Sysdig.
The vulnerability in question is CVE-2026-20896 (CVSS score: 9.8), a vulnerability that stems from the DevOps platform trusting the "X-WEBAUTH-USER" header from any source IP address, effectively allowing an unauthenticated internet client to get elevated
*** END OF TRANSMISSION ***