Gitea Vulnerability Exposed 30,000 Deployments to Attacks

https://www.securityweek.com/gitea-vulnerability-exposed-30000-deployments-to-attacks/

Publish Date: 2026-05-28 07:24:51

Summary:

AI pentesting firm NoScope has warned that a significant vulnerability, tracked as CVE-2026-27771, resides in the open-source, self-hosted Git service Gitea, allowing unauthenticated attackers to pull private container images from over 30,000 deployments. This access control issue impacts Gitea’s built-in container registry, with potential ramifications for Forgejo and other forks. The flaw persisted in Gitea’s code for four years until the patch was deployed in version 1.26.2, released recently. The vulnerability meant that even private images would be accessible without authentication via Docker/OCI pull requests. Sensitive information embedded in the container images, such as source code and production data, could have been exposed, prompting immediate updates to version 1.26.2 or the enforcement of authentication for all content access to mitigate risks to critical production systems.

Key Points:

A vulnerability in Gitea enables public access to private container images without authentication.
The issue affected over 31,000 deployments, with around 4,000 being production systems on major cloud platforms.
The flaw was buried in Gitea’s codebase for four years before being patched in version 1.26.2.
The exposure could lead to the leakage of sensitive data, including secrets and production details.
Immediate updates are advised, though certain configurations might need careful adjustments for instances designed to publicly expose some containers.