Critical Gitea Vulnerability CVE-2026-27771 Exposes 30,000+ Self-Hosted Git Instances to Container Image Theft
An access control flaw in Gitea's container registry (CVE-2026-27771) allowed unauthenticated attackers to pull private container images from over 30,000 self-hosted deployments, risking exposure of source code and credentials.
A critical access control vulnerability in Gitea's built-in container registry, tracked as CVE-2026-27771, has left over 30,000 self-hosted Git service deployments exposed to unauthorized data theft. The flaw, discovered by AI pentesting firm NoScope, allowed any unauthenticated attacker on the internet to pull private container images as if they were public, bypassing the intended authentication requirements entirely.
The vulnerability resided in Gitea's implementation of the Docker/OCI registry API. When a user marked a container image as private, the interface correctly hid it from unauthenticated browsing — but the underlying registry API continued to serve the image in response to standard anonymous pull requests. NoScope described the bug as having lurked in Gitea's codebase for approximately four years before being patched in version 1.26.2, released last week. Forgejo, a Gitea fork that shares the same container registry implementation, is also affected; other derived forks may be impacted as well.
The consequences are severe. Container images regularly bundle source code, hardcoded credentials, API keys, environment variables, and detailed infrastructure configurations. An attacker pulling a private image could gain immediate insight into a target's development workflows, internal services, and cloud access tokens. NoScope characterized the impact as "considerable," noting that the bug effectively nullified the privacy setting administrators relied upon.
NoScope used Shodan to scan for internet-facing Gitea instances and identified over 34,000. Of those, approximately 93% — or 31,750 instances — were likely running a vulnerable version. Further analysis showed that roughly 4,000 of those were production systems running on major cloud or VPS platforms, and 7,000 were still listening on Gitea's default port. "These aren't hobby machines," NoScope wrote. "These are organisations that made a deliberate decision to self-host their development infrastructure, running it on production-grade compute, for real workloads."
Organizations running Gitea are urged to update to version 1.26.2 immediately. For those who cannot upgrade promptly, NoScope advises changing the configuration setting to require authentication for all content access, though this workaround breaks intentional public image hosting. The patch was published on May 21, 2026, and the disclosure was coordinated with NoScope.
The Gitea vulnerability underscores a recurring pattern where self-hosted development tools — chosen for their perceived security and control — can become a blind spot when registry, package, or container subsystems are not hardened to the same standard as the core Git service. As organizations increasingly rely on containerized workflows, flaws like CVE-2026-27771 remind administrators that the attack surface extends well beyond the main application logic.