Gitea Vulnerabilities Expose Request Header Spoofing

EXECUTIVE SUMMARY:

Two vulnerabilities have been revealed in Gitea, an open-source self-hosted Git service. The flaws include an authentication bypass that permits unauthenticated users to assume any account by forging proxy headers, and a server-side request forgery weakness that allows crafted requests to reach internal services such as cloud metadata endpoints. Both vulnerabilities enable attackers to gain administrative control, exfiltrate sensitive code, and pivot to internal infrastructure, posing severe confidentiality, integrity, and availability risks for organizations that rely on Gitea for software development, CI/CD pipelines, and code collaboration.[emaillocker id="1283"]

CVE-2026-20896 with a CVSS score of 9.8 – The vulnerability arises from a misconfigured reverse‑proxy authentication template that trusts the X‑WEBAUTH‑USER header from any source IP, allowing an unauthenticated attacker to impersonate any user, including administrators, without a password or session cookie.

CVE-2026-22874 with a CVSS score of 9.6 – This SSRF flaw stems from an incomplete allow‑list in webhook and repository migration features; an attacker who can trigger a webhook can craft URLs to internal IP ranges or cloud metadata services, read full HTTP responses via the webhook history, and potentially harvest credentials or configuration data.

RECOMMENDATION:

• We recommend you to update Gitea to below version:
• https://github.com/go-gitea/gitea/releases

REFERENCES:

The following reports contain further technical details:
https://securityonline.info/critical-gitea-security-flaws/