Critical Gitea Vulnerability CVE-2026-27771 Exposes Private Container Images Without Authentication
A critical vulnerability in Gitea, CVE-2026-27771, allows unauthenticated attackers to pull private container images from over 30,000 self-hosted deployments, potentially exposing sensitive data from healthcare, aerospace, and other sectors.
Cybersecurity researchers have disclosed a critical vulnerability in Gitea, an open-source, self-hosted platform for version control and DevOps, that allows unauthenticated remote attackers to pull private container images without requiring any credentials. Tracked as CVE-2026-27771, the flaw affects all versions of Gitea prior to version 1.26.2, which patches the issue.
The vulnerability was discovered by the U.K.-based security firm Noscope, which found that the private designation on container repositories did not provide the protection operators expected. "Gitea's container registry has allowed any person on the internet, with no account, no password, and no prior access, to pull what would be considered private container images at first glance from affected instances as if they were public," Noscope said in its disclosure.
According to Noscope, the security defect likely impacts more than 30,000 deployments across over 30 countries and went undetected for close to four years. The vast majority of the exposures are in China, the United States, Germany, France, and the United Kingdom. Affected organizations span healthcare providers, aerospace manufacturers, retail infrastructure, and internet service providers, making the potential for data leakage severe.
The flaw is particularly dangerous because it requires no authentication—attackers do not need an account, password, or any prior access to pull private images. This means any container image stored in a Gitea registry on an affected version is effectively public, exposing proprietary code, sensitive configurations, and credentials embedded in images.
Noscope also warned that any fork of Gitea should be treated as potentially impacted until independently verified. In its own testing, the popular fork Forgejo has been confirmed to be vulnerable. No additional technical details about the exploit mechanism have been released, likely to give users time to patch.
Gitea users are strongly advised to update to version 1.26.2 immediately. If patching is not an immediate option, a temporary workaround is to set `service.REQUIRE_SIGNIN_VIEW=true` in the Gitea configuration. However, this approach is not ideal if some containers are meant to be intentionally exposed publicly, as it would require authentication for all registry access.
The disclosure of CVE-2026-27771 highlights the risks associated with self-hosted DevOps platforms, where misconfigurations or overlooked vulnerabilities can lead to massive data exposure. As organizations increasingly rely on containerized workflows, ensuring that container registries are properly secured is critical to preventing unauthorized access to sensitive intellectual property and infrastructure secrets.