THREAT actors are exploiting a vulnerability in Gitea's reverse-proxy authentication, identified as CVE-2026-20896, with a critical CVSS score of 9.8. This issue affects Gitea Docker images prior to version 1.26.3 and allows unauthorized access using only a valid username in an HTTP header, bypassing authentication. The vulnerability arises because Gitea defaults to allowing connections from any IP address instead of using an allowlist.
Exploitation began shortly after public disclosure, and users are urged to update their Gitea instances to prevent potential compromise of sensitive information. Following the vulnerability disclosure, around 6,200 Gitea instances were found to be internet-accessible.