{"uuid": "d6b43c8e-e4e1-4963-9c3c-4c189ad75d00", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-20896", "type": "seen", "source": "https://infosec.exchange/users/DarkWebInformer/statuses/116879910895582885", "content": "\ud83d\udea8 Critical Gitea flaw CVE-2026-20896 is being probed in the wild\nResearchers warn that attackers are targeting a critical Gitea Docker image flaw that can allow authentication bypass with a single HTTP header.\nThe issue affects official Gitea Docker images up to 1.26.2 when reverse-proxy authentication is enabled.\nThe vulnerable default trusted any source IP as a reverse proxy, meaning an attacker who could reach the container\u2019s HTTP port could spoof X-WEBAUTH-USER and impersonate a known or guessable user.\nGitea patched the issue in 1.26.3 / 1.26.4, and a public PoC/checker is now available.\nSysdig says the first in-the-wild probing was seen 13 days after disclosure.\nObserved IP: 159[.]26[.]98[.]241", "creation_timestamp": "2026-07-07T17:38:26.634669Z"}