Gitea CVE-2026-20896: Docker image trusts X-WEBAUTH-USER from anywhere
Gitea's Docker template shipped REVERSE_PROXY_TRUSTED_PROXIES=* — any client can send X-WEBAUTH-USER: admin and impersonate any account. CVSS 9.8. Patched in 1.26.3, skip to 1.26.4.