Back

Gitea Vulnerability Exposes 30,000 Private Container Images to Attackers

Severity: High (Score: 72.0)

Sources: www.noscope.com, thehackernews.com, Rescana, Gbhackers, blog.gitea.com

Published: 2026-05-28 · Updated: 2026-05-28

Keywords: gitea, private, container, instances, images, flaw, deployments

Severity indicators: flaw

Summary

A critical vulnerability, CVE-2026-27771, in Gitea's container registry allowed unauthenticated users to access private container images for nearly four years. Discovered by Noscope in April 2026, the flaw affects over 30,000 deployments globally, including instances of Forgejo. The vulnerability stems from a logic error in access control, allowing attackers to pull private images without credentials. Organizations using Gitea are urged to upgrade to version 1.26.2, released on May 20, 2026, which addresses the issue but does not fully resolve underlying architectural problems. The flaw's ease of exploitation raises concerns about potential data exfiltration and credential compromise. As of now, there are no confirmed reports of active exploitation in the wild. Key Points: • CVE-2026-27771 allows unauthenticated access to private container images on Gitea instances. • Over 30,000 deployments across 30 countries are affected by this vulnerability. • Organizations are advised to upgrade to Gitea v1.26.2 to mitigate the risk.

Detailed Analysis

**Impact** Over 30,000 internet-facing deployments of Gitea and its forks, including Forgejo, across more than 30 countries are affected. Approximately 52% of these instances run on major cloud providers such as Alibaba Cloud, Tencent Cloud, and DigitalOcean, impacting sectors including healthcare, aerospace, retail, ISPs, and enterprise software development. Private container images containing application source code, embedded secrets, API keys, database credentials, and infrastructure configurations were exposed, risking intellectual property theft, credential compromise, and potential lateral movement within organizations. **Technical Details** CVE-2026-27771 is an authentication bypass vulnerability in the access control logic of Gitea’s built-in container registry, allowing unauthenticated remote attackers to pull private container images without credentials. Exploitation requires only standard Docker or OCI registry API calls to affected endpoints and can be performed remotely. The vulnerability affects all Gitea versions prior to 1.26.2 and also impacts Forgejo and other forks sharing the vulnerable codebase. No public proof-of-concept exploits or IOCs have been published; the flaw resides in the registry’s failure to enforce authentication on private repositories. **Recommended Response** Apply the Gitea 1.26.2 patch immediately to remediate the vulnerability. As a temporary mitigation, set `REQUIRE_SIGNIN_VIEW=true` in the Gitea configuration to enforce authentication on container registry views, noting this may not suit environments intentionally exposing some containers publicly. Monitor network traffic for unauthorized Docker/OCI pull requests to Gitea container registries and audit access logs for unusual activity. No specific IOCs are available; focus on patching and configuration hardening as primary defenses.

Source articles (8)

  • Gitea Flaw Left 30,000 Deployments' Private Container Images Readable for 4 Years — Techtimes · 2026-05-28
    A critical vulnerability in Gitea , the widely used open-source self-hosted Git platform, silently allowed any person on the internet to pull private container images from affected instances — no acco…
  • Gitea Instances Exposing Private Container — www.noscope.com · 2026-05-28
    TL;DR: CVE-2026-27771 allowed unauthenticated access to private container images on Gitea instances. 30,000+ deployments were affected. The flaw went undetected for 4 years. NoScope discovered and res…
  • Gitea v1.26.2 — blog.gitea.com · 2026-05-28
    We are excited to announce the release of Gitea 1.26.2 ! We strongly recommend all users upgrade to this version, as it contains a number of security fixes alongside important bug fixes and stability…
  • Gitea Container Registry Vulnerability Could Lead to Private Image Exposure — Gbhackers · 2026-05-28
    A critical vulnerability, tracked as CVE-2026-27771, has been discovered in Gitea’s built-in container registry, allowing unauthenticated remote attackers to access private container images without cr…
  • CVE-2026-27771: Critical Gitea Container Registry Vulnerability Exposes Private Images to ... — Rescana · 2026-05-28
    A critical vulnerability, CVE-2026-27771 , has been identified in the built-in container registry of Gitea , a widely used open-source Git service. This flaw allows unauthenticated remote attackers to…
  • Gitea Container Vulnerability Exposes Private Container Images to Attackers — Cybersecuritynews · 2026-05-28
    A critical security vulnerability in Gitea’s built-in container registry exposes private container images to unauthenticated attackers, raising significant concerns for organizations that rely on self…
  • Gitea Vulnerability Exposes Private — thehackernews.com · 2026-05-28
  • Orca Security: Gitea Container Registry Exposes Private Images to Unauthenticated Attackers — orca.security · 2026-05-28

Timeline

  • 2026-04-01 — Vulnerability discovered: Noscope's autonomous penetration testing agent identified CVE-2026-27771, allowing unauthenticated access to private images.
  • 2026-05-20 — Patch released: Gitea v1.26.2 was released to address the critical vulnerability CVE-2026-27771.
  • 2026-05-25 — Vulnerability disclosed: Noscope publicly disclosed the vulnerability after notifying Gitea maintainers.
  • 2026-05-28 — Public exploit for CVE-2026-27771 released: A proof-of-concept exploit appeared on GitHub, lowering the barrier for opportunistic attackers.

CVEs

  • CVE-2026-27771

Related entities

  • Data Breach (Attack Type)
  • Supply Chain Attack (Attack Type)
  • Forgejo (Company)
  • Akamai (Company)
  • Alibaba Cloud (Company)
  • DigitalOcean (Company)
  • Hetzner (Company)
  • OVH (Company)
  • Gitea (Platform)
  • Harbor (Platform)
  • Tencent Cloud (Platform)
  • China (Country)
  • Germany (Country)
  • United States (Country)
  • CWE-200 - Exposure of Sensitive Information (Cwe)
  • CWE-287 - Improper Authentication (Cwe)
  • CWE-798 - Use of Hard-coded Credentials (Cwe)
  • noscope.com (Domain)
  • notes.at (Domain)
  • Aerospace (Industry)
  • Healthcare (Industry)
  • Internet Service Providers (Industry)
  • Manufacturing (Industry)
  • Retail (Industry)
  • T1567 - Exfiltration Over Web Service (Mitre Attack)
  • Docker (Tool)
  • NoScope (Tool)
  • Shodan (Tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed