CVE-2026-20896 – Gitea Open Source Git Server

CVSS 9.8 CRITICAL Critical or Zero Day – Immediate Deployment

“Trusting every connection is the fastest way to lose control of who gets in.”

This security update addresses a critical improper access control vulnerability in the Gitea Open Source Git Server Docker image. A default configuration using REVERSE_PROXY_TRUSTED_PROXIES=* allows any source IP to be treated as trusted when reverse-proxy authentication headers such as X-WEBAUTH-USER are enabled. An attacker could exploit this behavior to impersonate another user and gain unauthorized access.

CVE-2026-20896 has a CVSS score of 9.8, which is Critical severity. A public proof-of-concept has been confirmed for this vulnerability. The update corrects the insecure default configuration and reduces the risk of user impersonation through reverse-proxy authentication.

Key Details

Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
CWE Classification
CWE-284
Patch this CVE on all your endpoints in under 5 minutes. First 200 endpoints are free forever, scale as needed.