All intelligence
// vulnerability record
cached · NVD via COSMOS syncCVE-2026-20896
CRITICALpublished 2026-07-03 21:16 UTC · 18 hours ago
9.8
CVSS / 10
// description
Gitea Docker image versions up to and including 1.26.2 use REVERSE_PROXY_TRUSTED_PROXIES=* by default, allowing any source IP to impersonate a user when reverse-proxy authentication headers such as X-WEBAUTH-USER are enabled.
// weaknesses (CWE)
- CWE-284