Hackers exploit Gitea Docker auth bypass flaw in the wild

Attackers are already weaponizing a critical authentication bypass in the official Gitea Docker image, turning any exposed instance into an open door for account takeover. The flaw lets unauthenticated users impersonate any account—including site administrators—simply by crafting specially formatted HTTP requests. Once inside, attackers can read private repositories, push malicious code, or plant backdoors without leaving obvious traces.
Security researchers first disclosed the issue on May 22 after confirming active exploitation in the wild. The vulnerability stems from a missing permission check in the Gitea API endpoint that handles session creation, a component that was inadvertently exposed in the official gitea/gitea Docker image. Because the flaw is present in the default deployment, any organization running Gitea via Docker—including cloud-hosted and on-premise setups—should treat this as an emergency patch window.
The anatomy of the bypass
The exploit hinges on two conditions: Docker-based deployments using the default configuration and the API endpoint remaining accessible without authentication. By sending a spoofed X-Gitea-OTP header alongside a manipulated user identifier, an attacker can hijack sessions for any existing account. Gitea’s maintainers described the issue as “trivial to exploit” and assigned it CVE-2024-46982, urging all users to upgrade to version 1.22.0 or later.
Cloud and self-hosted users in the crosshairs
The reach of this flaw is unusually broad. Cloud providers that offer Gitea-as-a-service are also affected if they rely on the vulnerable image, while countless self-hosted teams running Gitea behind a reverse proxy may still be exposed if their Docker image hasn’t been updated. Security firm Aqua Security noted that images pulled before May 22 are at risk, meaning even freshly deployed containers could harbor the vulnerability.
Why it matters
This is not a theoretical risk: attackers have already automated scans for exposed Gitea endpoints, and exploit code is circulating on underground forums. For teams that cannot immediately patch, isolating the Docker host network, disabling public API access, or switching to a non-Docker deployment are critical stopgaps. The incident underscores how containerized deployments can inherit systemic flaws and why continuous verification of base images is now table stakes for DevOps and security teams alike.
Source: BleepingComputer. AI-assisted editorial synthesis — TechnoExpress.

