Gogs – Authentication Bypass via Unvalidated Reverse Proxy Headers

19/06/2026

When ‘ENABLE_REVERSE_PROXY_AUTHENTICATION’ is enabled, Gogs accepts the configured authentication header (default: ‘X-WEBAUTH-USER’) directly from client requests without validating that the request originated from a trusted reverse proxy.

Any remote attacker who can reach the Gogs service can forge this header to impersonate any user or trigger automatic account creation, completely bypassing authentication.

Joshua Martinelle Fri, 06/19/2026 – 02:41
– Read more

Monday	08:00 - 17:00
Tuesday	08:00 - 17:00
Wednesday	08:00 - 17:00
Thursday	08:00 - 17:00
Friday	08:00 - 17:00

Gogs – Authentication Bypass via Unvalidated Reverse Proxy Headers

Latest article

CyberSentinel AI with 33 Security Tools, Including Nmap, SQLMap, ZAP, and uses Claude, GPT

CVE-2025-5791 Users: `root` appended to group listings

JCPenney – 368,418 breached accounts

Threat actor adds advanced ‘EDR killer’ tools to ransomware-as-a-service platform

EDITOR PICKS

CyberSentinel AI with 33 Security Tools, Including Nmap, SQLMap, ZAP, and...

CVE-2025-5791 Users: `root` appended to group listings

JCPenney – 368,418 breached accounts

POPULAR POSTS

Threats to users of adult websites in 2018

The World’s Most Popular Coding Language Happens to be Most Hackers’...

IT threat evolution Q2 2019

POPULAR CATEGORY

CyberSentinel AI with 33 Security Tools, Including Nmap, SQLMap, ZAP, and...

CVE-2025-5791 Users: `root` appended to group listings

JCPenney – 368,418 breached accounts