CVE-2026-27771: a vulnerability in Gitea that lets unauthenticated remote actors pull private container images has been disclosed, and researchers say it could touch tens of thousands of deployments worldwide.
How the flaw behaves
Cybersecurity researchers report that the defect permits unauthenticated remote attackers to retrieve container images marked as private from affected Gitea instances without any account, password, or other credentials. In Noscope's words, "On affected versions, the private designation on a container repository did not deliver the protection operators reasonably expected it to." The company added that "Gitea's container registry has allowed any person on the internet, with no account, no password, and no prior access, to pull what would be considered private container images at first glance from affected instances as if they were public."
No additional technical details are currently available.
Scale, geography, and sectors affected
Noscope estimates the security defect likely impacts more than 30,000 deployments across over 30 countries and that it went undetected for close to four years. The security firm reported the majority of exposures are in China, the U.S., Germany, France, and the U.K. Affected organizations span healthcare providers, aerospace manufacturers, retail infrastructure, and internet service providers.
Forks and related projects: Forgejo confirmed
The U.K.-based security company warned that any fork of Gitea "should be treated as potentially impacted by the vulnerability until it's been independently verified by the respective maintainers." In Noscope's testing, the Forgejo fork has been confirmed to be impacted. The advisory therefore extends beyond upstream Gitea deployments to derivatives unless maintainers explicitly validate the absence of the flaw.
Gitea versions, patching, and temporary mitigations
The vulnerability is tracked as CVE-2026-27771 and, according to the advisory, affects all versions of Gitea prior to 1.26.2, which addresses the issue. Separately, users are advised to update to version 1.6.2 for optimal protection. If immediate patching is not possible, the advisory recommends setting [service].REQUIRE_SIGNIN_VIEW=true in the Gitea configuration as a temporary workaround, while noting that this approach "isn't ideal if some containers are meant to be intentionally exposed publicly."
What this means for technologists, open-source maintainers, and affected enterprises
- Technologists and security teams: Investigate whether internal or public-facing Gitea instances run versions prior to 1.26.2, prioritize patching or apply the configuration workaround, and review access logs for unexpected pulls of private images.
- Open-source maintainers and fork owners: Treat forks as potentially impacted until independent verification is completed; Forgejo has already been confirmed by Noscope to be affected in testing.
- Affected enterprises and procurement leaders: Recognize that the advisory lists exposed sectors including healthcare, aerospace, retail infrastructure, and ISPs; those organizations should confirm whether their supply-chain or vendor-hosted Gitea instances are updated and adjust procurement or contract requirements accordingly.
The disclosure places immediate operational choices in front of deployers: apply the fix where available, adopt the suggested configuration toggle if necessary, and verify forks and derivative projects under operational control. Noscope's finding that the private flag failed to provide expected protection highlights a practical lesson for operators who assumed repository privacy equated to confidentiality.
For further details, see the original advisory at The Hacker News: https://thehackernews.com/2026/05/gitea-vulnerability-exposes-private.html
