Close Menu
    What's Hot

    McConnell Has Been Hospitalized for 3 Weeks, and Aides Won’t Say Why

    ‘Profoundly corrupt’: The EU’s leading FIFA critic sharpens his attack – Live Updates

    Leading US Democrats withdraw support for Platner after assault allegations | US Midterm Elections 2026 News

    Facebook X (Twitter) Instagram
    Trending
    • McConnell Has Been Hospitalized for 3 Weeks, and Aides Won’t Say Why
    • ‘Profoundly corrupt’: The EU’s leading FIFA critic sharpens his attack – Live Updates
    • Leading US Democrats withdraw support for Platner after assault allegations | US Midterm Elections 2026 News
    • Erdogan’s NATO Trap in Ankara
    • Trump Wanted a U.S. Soccer Star to Play in the World Cup. FIFA Found a Way.
    • Good News! Turns Out the Earth Will Never Be Swallowed by the Sun
    • TransDigm: A High Value Compounder Deserves A Strong Buy Upgrade (NYSE:TDG)
    • Arsenal transfers: Aston Villa to demand British record fee to allow Morgan Rogers sale – Paper Talk | Football News
    interluknewsinterluknews
    • Home
    • Business
      • Corporate News
      • Industry Insights
      • Startups & Entrepreneurship
      • Technology & Innovation
    • Economy
      • Economic Policy
      • Financial Analysis
      • Inflation & Interest Rates
      • Trade & Markets
    • Global
      • Conflicts & Security
      • Diplomacy
      • Global Trends
      • International Affairs
    • Lifestyle
      • Fashion
      • Food & Dining
      • Personal Development
      • Travel
    • Opinion
      • Columns
      • Editorials
      • Expert Opinions
      • Reader Voices
    • More
      • Politics
        • Elections
        • Government & Policy
        • International Relations
        • Political Analysis
      • Sports
        • Cricket
        • Football / Soccer
        • International Sports
        • Local Sports
      • Technology
        • Artificial Intelligence
        • Cybersecurity
        • Gadgets & Reviews
        • Tech News
      • South Africa News
    Facebook X (Twitter) Instagram
    interluknewsinterluknews
    Cybersecurity

    Threat Actors Probe Gitea Docker Flaw CVE-2026-20896 13 Days After Disclosure

    adminBy adminJuly 6, 2026No Comments3 Mins Read
    Share Facebook Twitter Pinterest Copy Link Telegram LinkedIn Tumblr Email
    Threat Actors Probe Gitea Docker Flaw CVE-2026-20896 13 Days After Disclosure
    Share
    Facebook Twitter LinkedIn Pinterest Email

    Ravie LakshmananJul 06, 2026Vulnerability / DevOps

    Threat Actors Probe Gitea Docker Flaw CVE-2026-20896 13 Days After Disclosure

    Threat actors have been observed attempting to exploit a recently patched critical security flaw in Gitea Docker images, according to Sysdig.

    The vulnerability in question is CVE-2026-20896 (CVSS score: 9.8), a vulnerability that stems from the DevOps platform trusting the “X-WEBAUTH-USER” header from any source IP address, effectively allowing an unauthenticated internet client to get elevated access.

    In a statement shared with The Hacker News via email, security researcher Ali Mustafa (@rz1027), who is credited with discovering and reporting the flaw, said the Gitea Docker images shipped an “app.ini” template that hard-codes “REVERSE_PROXY_TRUSTED_PROXIES = *” by default. The “app.ini” file is a core configuration file for managing server parameters, database connections, security behavior, and application settings.

    “With reverse-proxy login enabled, that wildcard trusts every source IP, so anyone who could reach the port could send an X-WEBAUTH-USER header and be authenticated as any user, with no password and no token,” Mustafa explained. “With auto-registration on, an admin username gives admin.”

    It’s worth noting that the documented safe value for the “REVERSE_PROXY_TRUSTED_PROXIES” internal variable is “127.0.0.0/8,::1/128,” meaning only localhost, aka the loopback interface, is allowed as a trusted proxy server. However, the official Docker image doesn’t use this default, hard-coding “*” instead. In other words, the allowlist check is as good as not having it.

    Cybersecurity

    Thus, when an admin sets “ENABLE_REVERSE_PROXY_AUTHENTICATION = true” to put Gitea behind an authenticating reverse proxy and leaves the “REVERSE_PROXY_TRUSTED_PROXIES” setting to its default value, it allows a X-WEBAUTH-USER custom HTTP header from any source IP that can reach the container.

    “Any process that can reach the Gitea container’s HTTP port directly – not through the intended authenticating proxy – can impersonate any user whose login name is known or guessable,” according to Gitea’s advisory. “Admin accounts (admin, gitea_admin, etc.) are the obvious targets.”

    The vulnerability affects Gitea Docker images versions before and including 1.26.2. It has been addressed in version 1.26.3 released late last month, with the “*” wildcard now removed and reverse-proxy authentication made opt-in.

    Cloud security company Sysdig has since revealed it detected the first in-the-wild exploitation attempt 13 days after public disclosure of the vulnerability. There are about 6,200 internet-facing Gitea instances.

    “So far, the activities have been related to initial investigation by the threat actor,” Michael Clark, senior director of threat research at Sysdig, told The Hacker News.

    “While we saw the first action from an IP from the ProtonVPN service, 159.26.98[.]241, it has not so far progressed to any exploitation or attack progress. We think this is because we have seen this one early before it has had the chance to develop beyond that initial phase.”

    Given the severity of the issue, it’s essential that users apply the fixes as soon as possible for optimal protection.

    actors CVE202620896 days Disclosure Docker flaw Gitea probe threat
    Follow on Google News Follow on Flipboard
    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email Copy Link
    Previous ArticleTrump Passports Debut, Delighting Some and Dismaying Others
    Next Article Arsenal transfers: Aston Villa to demand British record fee to allow Morgan Rogers sale – Paper Talk | Football News
    admin
    • Website

    Related Posts

    Iran-Linked Hackers Use New Cavern C2 Framework to Target Israeli Organizations

    July 6, 2026

    16-Year-Old Linux KVM Flaw Lets Guest VMs Escape to Host on Intel and AMD x86 Systems

    July 6, 2026

    Suspected China-Nexus Hackers Use Fake Indian Tax Filing Utility to Deploy DcRAT

    July 6, 2026
    Leave A Reply Cancel Reply

    Demo
    Latest Posts

    McConnell Has Been Hospitalized for 3 Weeks, and Aides Won’t Say Why

    ‘Profoundly corrupt’: The EU’s leading FIFA critic sharpens his attack – Live Updates

    Leading US Democrats withdraw support for Platner after assault allegations | US Midterm Elections 2026 News

    Erdogan’s NATO Trap in Ankara

    Latest Posts

    Subscribe to News

    Get the latest sports news from NewsSite about world, sports and politics.

    Advertisement
    Demo

    We are a digital news platform delivering timely, accurate, and insightful coverage of politics, global affairs, business, economy, sports, and more. Our mission is to keep readers informed with reliable news, clear analysis, and stories that truly matter.
    We're social. Connect with us:

    Facebook X (Twitter) Instagram Pinterest YouTube

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    Type above and press Enter to search. Press Esc to cancel.

    Powered by
    ...
    ►
    Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
    None
    ►
    Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
    None
    ►
    Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
    None
    ►
    Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
    None
    ►
    Unclassified cookies are cookies that we are in the process of classifying, together with the providers of individual cookies.
    None
    Powered by