A vulnerability CVE-2026-27771 has been discovered in the Gitea version control platform that allows unauthenticated remote attackers to pull private container images from deployed Gitea instances — without an account, password, or any other credentials. The vulnerability affects all Gitea versions up to 1.26.2, as well as, according to researchers, the fork Forgejo. Administrators of affected installations must update to version 1.26.2 or apply a temporary configuration-based workaround.
Technical details of the vulnerability
The issue is located in Gitea’s container registry. According to researchers from UK-based company Noscope, who published a report, marking a container repository as private did not in fact provide the expected access protection. Any internet user could perform a pull operation for images the administrator believed to be private — and the system processed such requests as if the images were public.
Key vulnerability parameters:
- CVE ID: CVE-2026-27771
- CVSS score: not assigned at the time of publication
- Affected products: Gitea (all versions up to 1.26.2), Forgejo (confirmed by Noscope testing)
- Attack vector: remote, unauthenticated
- Exploitation status: unknown; the vulnerability is not listed in the CISA KEV catalog
The fix was released in Gitea version 1.26.2. At the time of publication, Gitea’s developers had not provided a separate, detailed security advisory — the information is based on the release notes and Noscope’s research.
Impact scope
According to Noscope’s estimates, the vulnerability presumably affects more than 30,000 deployed Gitea instances in over 30 countries. The highest concentration of vulnerable installations, based on the same data, is in China, the United States, Germany, France, and the United Kingdom. Among potentially affected organizations, the researchers mention healthcare institutions, aerospace manufacturers, retail infrastructure, and internet service providers.
Important caveat: these impact estimates come from a single research source and have not been independently confirmed. Noscope also claims that the vulnerability remained unnoticed for about four years — this timeframe has likewise not been verified by third parties.
Of particular note is the fact that any Gitea forks should be treated as potentially vulnerable until their maintainers complete an independent review. During their own testing, Noscope confirmed the presence of the vulnerability in Forgejo, but no official advisory from the Forgejo team was found in the available materials.
Risk assessment
The essence of the vulnerability is a breakdown of basic access control to the container registry. This means that any private container images hosted in affected Gitea instances could have been accessible from the outside. Potential consequences include:
- Leakage of proprietary code and configurations: container images often contain application source code, configuration files, and sometimes even embedded secrets (API keys, access tokens, database connection strings).
- Reconnaissance for follow-up attacks: analyzing pulled images can reveal internal architecture, dependencies and their versions, making it easier to find additional vulnerabilities.
- Compliance violations: for organizations in regulated industries (healthcare, aerospace), uncontrolled data exposure can lead to regulatory consequences.
The absence of an assigned CVSS score complicates formal prioritization, but the nature of the vulnerability — complete bypass of authentication to access data the operator considers protected — points to a high level of severity.
Remediation recommendations
- Update to Gitea 1.26.2 — this is the top priority. This version fixes vulnerability CVE-2026-27771.
- Temporary workaround (if immediate updating is not possible): set the parameter
[service].REQUIRE_SIGNIN_VIEW=truein the Gitea configuration. This will require authentication to view any content, including the container registry. Note that this parameter will also block access to containers that are intentionally meant to remain public. - Audit container images: review which private images were hosted in the affected instances. Assess whether they contain sensitive data — secrets, credentials, proprietary code. If embedded secrets are discovered, rotate them.
- Check forks: if you use Forgejo or other Gitea forks, treat them as vulnerable until you receive confirmation from the maintainers of the specific project.
- Analyze access logs: examine container registry logs for unauthenticated pull requests to private repositories — this will help determine whether the vulnerability was used against your infrastructure.
Gitea administrators using the container registry with private images should treat updating to version 1.26.2 as an urgent task. If your private images contained secrets or credentials, begin rotating them in parallel with the update, without waiting for the full audit to be completed.
