Do Son 
Two critical Gitea security flaws currently threaten self-hosted development environments. These severe vulnerabilities allow remote attackers to bypass authentication entirely and execute Server-Side Request Forgery (SSRF) attacks. Administrators must apply the latest software patches immediately to protect their codebases.
Gitea provides a popular platform for code management, issue tracking, and CI/CD pipelines. An attacker exploiting these critical Gitea security flaws could take full control over administrative accounts. Furthermore, they could access highly sensitive internal cloud infrastructure. Security researchers have publicly disclosed the technical details for both vulnerabilities. Public proof-of-concept exploit code also exists. However, no active exploitation in the wild has been confirmed at this time.
Authentication Bypass Mechanism
The first vulnerability tracks as CVE-2026-20896. It carries a critical 9.8 CVSS severity score. This flaw specifically affects Gitea Docker images configured to use reverse proxy authentication. The default configuration template mistakenly trusts proxy headers from any source IP address instead of just the loopback address.
Consequently, an attacker can simply inject the `X-WEBAUTH-USER` header into their HTTP request. This action allows them to impersonate any known user without supplying a password or session cookie. Attackers will likely target administrative accounts to gain complete system control.
Incomplete SSRF Protection
The second vulnerability tracks as CVE-2026-22874. It holds a high 9.6 CVSS severity score. This flaw stems from an incomplete SSRF allow-list within the webhook and repository migration features. The default filter relies on a standard Go library function that fails to block several internal IP ranges.
Authenticated users can exploit this weakness to target cloud metadata services like AWS IMDS or Azure WireServer. They can also probe internal networks on specific carrier-grade NAT ranges. The attackers can then read the full HTTP response bodies through the Gitea webhook history interface.
Affected Versions and Patch Steps
Both vulnerabilities impact Gitea versions 1.26.2 and earlier. Self-built deployments using the standard example configuration file remain safe from the authentication bypass flaw.
Administrators should upgrade to Gitea version 1.26.3 immediately. You can review the official security advisories for a deeper technical breakdown. System administrators can download the patched software directly from the official Gitea releases page.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
