CVE-2026-20896 — NCSC-CH escalates the Gitea Docker reverse-proxy auth bypass to 'actively exploited'
UPDATE · originally covered CVE-2026-20896 — Gitea (Docker): trust-all reverse-proxy default lets an unauthenticated attacker impersonate any user via X-WEBAUTH-USER (2026-06-23)
Switzerland's NCSC added CVE-2026-20896 to its Cyber Security Hub on 2026-07-10 (08:55 UTC) and set its current exploitation status to "Actively Exploited, Proof of Concept Available", reiterating that "[s]uccessful exploitation allows unauthenticated attackers to gain full administrative control of Gitea instances via a single custom HTTP header" (NCSC-CH, 2026-07-10). This is the first national-CERT escalation of the flaw's status since the June disclosure of the Docker image's trust-all REVERSE_PROXY_TRUSTED_PROXIES default (mechanics and patch unchanged from the original entry).
The escalation warrants a caveat rather than a panic. The only public exploitation reporting traces to Sysdig telemetry surfaced on 2026-07-06, and the two outlets that carried it diverge. The Hacker News quotes Sysdig's Michael Clark saying the single probe from a ProtonVPN-associated IP had "not so far progressed to any exploitation or attack progress" and characterises the activity as initial investigation by the threat actor rather than compromise (The Hacker News, 2026-07-06). SecurityWeek's coverage of the same Sysdig telemetry frames it as active exploitation and omits that caveat (SecurityWeek, 2026-07-07) — so the "actively exploited" characterisation is itself contested across the very reporting NCSC-CH cites. NCSC-CH's advisory does not resolve the gap with its own data, so the defensible read is "scanning confirmed, compromise unconfirmed" — which changes nothing about the remediation priority: a public PoC exists for a pre-auth admin-takeover on software Sysdig counts at roughly 6,200 internet-facing instances, and self-hosted Gitea is common across DACH/EU public-sector and academic DevOps.
Current exploitation status: Actively Exploited, Proof of Concept Available
Successful exploitation allows unauthenticated attackers to gain full administrative control of Gitea instances via a single custom HTTP header.
So far, the activities have been related to initial investigation by the threat actor,
Defender actions
- Treat internet-reachable Gitea Docker instances as urgent: upgrade to ≥ 1.26.4 now, and set REVERSE_PROXY_TRUSTED_PROXIES to the exact proxy IP/CIDR (never the wildcard) or disable ENABLE_REVERSE_PROXY_AUTHENTICATION if header-auth is unused.
- Hunt Gitea sign-in/audit logs for X-WEBAUTH-USER-authenticated admin sessions whose source IP is not the configured trusted proxy — by construction any such hit is a spoofed header, and it is the discriminator that separates exploitation from legitimate proxy auth.
ATT&CK mapping
1 technique mapped from the cited reporting · MITRE ATT&CK v19.1
Initial Access TA0001
T1190Exploit Public-Facing Application
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.
Sources
Update chain
AI-generated · no human review · this permalink is the shareable record for the finding · verify operationally critical claims against the linked primary source.