```html ```
top of page

One HTTP Header Turns You Into gitea_admin. It's the Second Gitea Auth Bypass We've Covered in Five Weeks.

  • Writer: Patrick Duggan
    Patrick Duggan
  • 1 hour ago
  • 3 min read

Here is the entire attack. When a Gitea instance is configured to sit behind a reverse proxy for authentication, it reads a header called X-WEBAUTH-USER and treats whatever name is in it as the logged-in user. The catch is the default: Gitea ships trusting all upstream connections as legitimate proxies — the parameter is set to a wildcard out of the box. So any remote client that can reach the instance sends its own request with X-WEBAUTH-USER set to admin, or gitea_admin, and Gitea hands over a fully authenticated session for that account. No password. No token. No second factor. This is CVE-2026-20896, it carries a CVSS of 9.8, and it affects Gitea Docker images up to and including 1.26.2.


Roughly six thousand two hundred Gitea servers were sitting on the public internet during the first scanning wave. Thirteen days after disclosure, threat actors started actively probing for them, with the earliest reconnaissance traced to a ProtonVPN exit node. The fix landed in 1.26.3 and 1.26.4, which finally make reverse-proxy authentication opt-in instead of a wildcard-trusting default. If you run self-hosted Gitea behind a proxy, that upgrade is tonight's job, not this week's.



We are not first, and we do not have to pretend to be


Let me be straight about the timeline, because it is the honest part and it is also the interesting part. We did not call CVE-2026-20896 specifically. Other researchers named the mechanism and traced the probing. What we can tell you is that this is not a surprise, because we watched the same box start bleeding five weeks ago.


On May 29 we published the story of CVE-2026-27771 — a different Gitea flaw, a container-registry authorization bypass that let unauthenticated attackers pull private container images from roughly thirty thousand deployments, and had been shipping for about four years. We filed it under a thesis we have been repeating all year: the hard perimeter holds, and the soft surfaces bleed, and the softest surface right now is the developer's own toolbox. Gitea is the leading self-hosted alternative to GitHub. It is where teams that did not want to trust a cloud put their source, their secrets, and their container images. That makes it a concentrated, high-value, under-watched target — exactly the profile that gets hit repeatedly.


So the claim is not "we predicted this CVE." It is "we told you in May that Gitea was a bleeding surface, and here is the second unauthenticated bypass in five weeks proving the surface, not the single bug, was the story." One flaw is a patch. Two flaws in five weeks on the same platform is a pattern, and the pattern is what a feed exists to warn you about.



The lesson is the default, not the bug


The thing worth internalizing here is that CVE-2026-20896 is barely a code bug. It is a configuration default. Gitea trusted all upstream proxies by default, and reverse-proxy header authentication is only safe if you can guarantee that the header can only be set by a proxy you control. Ship that as a wildcard and you have handed every internet client the ability to assert any identity it likes. This is the same class of mistake as an unenforced allowlist or a trust-all CORS policy — the code did exactly what it was told, and what it was told was catastrophic.


If you operate Gitea, or Forgejo, or any self-hosted forge, the immediate move is the patch, and the durable move is to stop treating your source-control host as internal furniture. It holds your crown jewels — code, secrets, CI tokens, container layers — and it is on the internet, and it is now demonstrably a serial target. Put it behind real access control, restrict the trusted-proxy list to the actual proxy address, rotate anything an X-WEBAUTH-USER impersonator could have touched if you ran a vulnerable version exposed, and start scanning your own developer tier the way an attacker already is.


Held to about ninety-five percent confidence: we did not call this specific CVE, and we are not dressing our May Gitea post up as a prediction of it. What we called was the surface. The surface bled again on schedule.




Every indicator in this post is in the feed. Free.

1.58M+ IOCs, STIX 2.1 / TAXII, 88% novel vs ThreatFox, exploited-CVE leads ahead of CISA. No credit card — a free API key in 30 seconds, and you can audit every claim above against the live endpoints.


Comments

Rated 0 out of 5 stars.
No ratings yet

Add a rating
bottom of page