Cybersecurity researchers have uncovered a serious security vulnerability in Gitea, the popular open-source self-hosted Git platform, that could allow attackers to access private container images without any authentication.
The flaw, identified as CVE-2026-27771, impacts all Gitea versions prior to 1.26.2. The vulnerability enables remote, unauthenticated attackers to pull private container images from affected Gitea instances without needing a username, password, or any valid account credentials.
Over 30,000 Deployments Potentially Affected
According to security firm Noscope, the issue may affect more than 30,000 Gitea deployments spread across over 30 countries. Researchers believe the vulnerability remained unnoticed for nearly four years.
Most exposed systems are reportedly located in:
- China
- United States
- Germany
- France
- United Kingdom
Organizations at risk include:
- Healthcare providers
- Aerospace manufacturers
- Retail infrastructure companies
- Internet service providers
What Makes the Vulnerability Dangerous?
Researchers explained that the “private” setting for container repositories in vulnerable versions of Gitea did not provide the level of protection administrators expected.
In affected deployments, anyone on the internet could potentially download supposedly private container images as though they were publicly accessible.
Noscope stated:
“Gitea’s container registry has allowed any person on the internet, with no account, no password, and no prior access, to pull what would be considered private container images from affected instances as if they were public.”
Forgejo Also Confirmed Vulnerable
The researchers also warned that any platform or fork based on Gitea should be considered potentially vulnerable unless independently verified by maintainers.
During testing, Forgejo, a well-known fork of Gitea, was also confirmed to be affected.
At the time of disclosure, no detailed technical exploit information has been publicly released.
Recommended Fix and Mitigation
Gitea users are strongly advised to upgrade immediately to version 1.26.2 or later to protect their deployments from unauthorized access.
For organizations unable to patch immediately, a temporary workaround is available by enabling the following setting in the Gitea configuration file:
[service]
REQUIRE_SIGNIN_VIEW=true
However, researchers caution that this workaround may not be suitable for environments where some container images are intentionally meant to remain publicly accessible.
Final Thoughts
The discovery of CVE-2026-27771 highlights how dangerous overlooked access-control issues can become in widely deployed developer infrastructure. Organizations using Gitea or its forks should urgently review their deployments, apply available patches, and audit container registry exposure to prevent unauthorized access to sensitive images and internal software components.
