Gitea Vulnerability Exposed 30,000 Deployments to Attacks

A vulnerability in open source, self-hosted Git service Gitea could have allowed unauthenticated attackers to pull private container images from over 30,000 deployments, AI pentesting firm NoScope warns.

Tracked as CVE-2026-27771, the security flaw is described as an access control issue impacting Gitea’s built-in container registry. Forgejo, which shares the implementation, is also affected. Other Gitea-derived forks may be impacted as well.

Due to the flaw, authentication requirements were not enforced on images marked as private, and the container registry still served them in response to standard, anonymous Docker/OCI pull requests to the registry API.

The security defect lurked in Gitea’s code for approximately four years before being patched in version 1.26.2, which was released last week.

“Gitea’s container registry has allowed any person on the internet, with no account, no password, and no prior access, to pull what would be considered private container images at first glance from affected instances as if they were public,” NoScope says.

The security defect lurked in Gitea’s code for approximately four years before being patched in version 1.26.2, which was released last week.

Gitea Vulnerability Exposed 30,000 Deployments to Attacks

Gitea Vulnerability Exposed 30,000 Deployments to Attacks

Other newsrooms on this story

Related reading

Gitea Vulnerability Exposes Private Container Images without Authentication

Other newsrooms on this story

Related reading

Gitea Vulnerability Exposes Private Container Images without Authentication

Gogs Zero-Day Exposes Servers to Remote Code Execution

Lack of response to critical vulnerability in Gogs is a reminder of the limits…

Critical Gogs RCE Vulnerability Lets Any Authenticated User Execute Arbitrary…

New Gogs zero-day flaw lets hackers get remote code execution

No fix yet for critical RCE bug in open-source Git service Gogs - exploit…