A critical security vulnerability in Gitea’s built-in container registry exposes private container images to unauthenticated attackers, raising significant concerns for organizations that rely on self-hosted Git and CI/CD environments.
The flaw, tracked as CVE-2026-27771, allows remote attackers to access and download container images marked as private without requiring authentication, tokens, or any prior access.
The vulnerability stems from a failure in Gitea’s access control enforcement within its container registry component.
Although repositories can be configured as private, the registry endpoint does not properly validate authentication before serving image manifests and layers.
By issuing standard Docker or OCI pull requests to the affected registry API, attackers can retrieve complete container images anonymously.
This effectively bypasses expected access restrictions and exposes sensitive data embedded within those images.
The security implications are substantial. Container images often contain proprietary application code, internal configurations, API keys, database credentials, and cloud access tokens.
Unauthorized access to such data can enable attackers to map internal infrastructure, escalate privileges, and potentially compromise production environments.
In worst-case scenarios, this could lead to lateral movement across systems, data breaches, or full infrastructure takeover.
Gitea Container Vulnerability
All Gitea versions before 1.26.2 are affected. Forgejo, a widely used fork of Gitea that shares the same container registry implementation, has also been confirmed vulnerable through independent testing.
Given the widespread adoption of Gitea across development pipelines, the exposure is significant.
Researchers estimate that over 31,000 internet-facing Gitea instances are potentially impacted, with deployments observed across multiple sectors including healthcare, aerospace, retail, and enterprise software.
A notable portion of these instances is hosted on major cloud platforms, further increasing the risk surface.
The vulnerability was discovered in April 2026 by NoScope, an autonomous penetration testing agent, and responsibly disclosed to the Gitea maintainers.
The issue remained undetected for nearly four years since the introduction of the container registry feature.
While no public exploit code or active exploitation has been observed, Orca Security researchers warned that the flaw remains high risk due to its ease of exploitation and lack of authentication requirements.
Gitea has addressed the flaw in version 1.26.2, and users are strongly advised to upgrade immediately.
As a temporary mitigation, administrators can enforce authentication globally by enabling the REQUIRE_SIGNIN_VIEW setting, though this may restrict legitimate public access.
Security teams should also audit access logs for unauthorized pulls and rotate any credentials that may have been exposed through container images.
Organizations using Gitea for container storage and CI/CD workflows should treat this vulnerability as urgent and prioritize remediation to prevent potential data exposure and downstream compromise.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
