Act
active
Critical auth bypass in Gitea Docker image under active exploitation
- Engineer — Act: If you run Gitea via the official Docker image, update to the patched image immediately — the flaw allows full admin impersonation and is being actively exploited. Audit recent repository access and check for unauthorized commits or access token creation.
- SOC/IR — Act: Active exploitation of an admin-impersonation bug in a self-hosted code repository warrants an assume-breach sweep: review Gitea audit logs for anomalous authentication events or unexpected admin-level actions since the vulnerability became public, and hunt for signs of unauthorized repository access or code changes.
- Leader — Act: If your organization self-hosts Gitea via Docker, confirm with engineering this week whether the vulnerable image is in use and verify patching status — unauthorized admin access to source code repositories is a direct supply chain and IP risk.
This entry was curated and judged by AI (Claude) with automated enrichment
(CISA KEV / EPSS / public PoC). Verify against the original source before
acting. Found a bad verdict?
Report it —
confirmed errors go to the corrections log.