Gitea Vulnerability Exposes 30,000 Private Container Images to Attackers

A critical vulnerability, CVE-2026-27771, in Gitea's container registry allowed unauthenticated users to access private container images for nearly four years. Discovered by Noscope in April 2026, the flaw affects over 30,000 deployments globally, including instances of Forgejo. The vulnerability stems from a logic error in access control, allowing attackers to pull private images without credentials. Organizations using Gitea are urged to upgrade to version 1.26.2, released on May 20, 2026, which addresses the issue but does not fully resolve underlying architectural problems. The flaw's ease of exploitation raises concerns about potential data exfiltration and credential compromise. As of now, there are no confirmed reports of active exploitation in the wild.

Key Points: • CVE-2026-27771 allows unauthenticated access to private container images on Gitea instances. • Over 30,000 deployments across 30 countries are affected by this vulnerability. • Organizations are advised to upgrade to Gitea v1.26.2 to mitigate the risk.