{"uuid": "e89b442e-1e5f-4538-8224-70fb6e494caa", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-20896", "type": "seen", "source": "https://bsky.app/profile/suriq.io/post/3mpyqphtlhf2i", "content": "Gitea's official Docker image trusts the X-WEBAUTH-USER login header from any IP, so with reverse-proxy auth on, anyone reachable can log in as any user, no password.\n\nAffects images through 1.26.2. Fix: upgrade to 1.26.3. (CVE-2026-20896)", "creation_timestamp": "2026-07-06T18:44:43.380456Z"}