CVE-2026-20896 — Gitea (Docker): trust-all reverse-proxy default lets an unauthenticated attacker impersonate any user via `X-WEBAUTH-USER`

Gitea 1.26.3 (2026-06-20) and 1.26.4 (2026-06-21) fix a cluster of four flaws; the critical one is CVE-2026-20896 (CVSS 9.8). The official Gitea Docker image shipped with REVERSE_PROXY_TRUSTED_PROXIES defaulting to the wildcard *, meaning Gitea trusts the reverse-proxy authentication header from any source. Any attacker who can reach the container's HTTP port can therefore send an X-WEBAUTH-USER header naming an arbitrary user — including an administrator — and be authenticated as that user with no credentials (Gitea, 2026-06-21; GitHub Security Advisory GHSA-f75j-4cw6-rmx4, 2026-06-21). Bare-metal deployments with an explicit trusted-proxy CIDR are unaffected unless they also set the wildcard. The same release also patches CVE-2026-27775 (protected-branch enforcement race in single-push batch operations), CVE-2026-20779 (CVSS 7.1 — TOTP 2FA bypass via a web-flow TOCTOU race and stateless X-Gitea-OTP replay inside the OTP validity window) and CVE-2026-22874 (SSRF in the webhook / repo-migration subsystems). Germany's BSI issued WID-SEC-2026-2027 on 2026-06-22 rating the set "hoch" (BSI WID, 2026-06-22). No in-the-wild exploitation reported yet; included on the pre-auth-critical-on-widely-deployed-software gate. Gitea is the dominant self-hosted GitHub alternative across DACH/EU public-sector DevOps and sovereign-cloud environments, so an internet-reachable or loosely-segmented Docker instance is an immediate admin-takeover risk (T1190 Exploit Public-Facing Application, T1078.001 Default Accounts). Mitigations: set REVERSE_PROXY_TRUSTED_PROXIES to the exact reverse-proxy IP/CIDR, or disable ENABLE_REVERSE_PROXY_AUTHENTICATION entirely if header-auth is not used; upgrade to 1.26.4. Hunt for admin logins sourced from the reverse-proxy IP with no corresponding password-auth audit entry, and webhook calls to RFC-1918 addresses.