Gitea Flaw Exposed Private Container Images for 4 Years

A security flaw in Gitea allowed unauthenticated attackers to pull private container images from any deployment—and it went undetected for nearly four years. CVE-2026-27771, disclosed Tuesday by Noscope researchers, carries a CVSS score of 8.2 and affects all Gitea versions prior to 1.26.2.

The vulnerability exists in Gitea's container registry access control model. When a repository is marked private, the container registry endpoint should require authentication. It didn't. Anonymous requests could fetch image layers and manifests without credentials.

Who's Affected

According to Noscope, more than 30,000 deployments across 30+ countries are likely vulnerable. Affected organizations span healthcare providers, aerospace manufacturers, retail infrastructure, and internet service providers. The bug has existed since the container registry feature was introduced in Gitea 1.14.0 back in 2022.

Forgejo, the community fork of Gitea that shares the same container registry implementation, is also confirmed vulnerable.

Technical Details

The flaw stems from how Gitea handles the "private" designation on container repositories. The access control check simply failed to apply to the OCI registry endpoints. An attacker could enumerate image names through common naming patterns or prior reconnaissance, then pull the full image contents without ever authenticating.

This is similar to issues we've seen in other self-hosted git platforms. Authorization bypass vulnerabilities have plagued developer infrastructure throughout the software supply chain. Container registries are particularly attractive targets because they often contain proprietary code, configuration secrets, and infrastructure blueprints.

Remediation Steps

1. Update to Gitea 1.26.2 immediately - This is the only complete fix
2. Set REQUIRE_SIGNIN_VIEW=true - As a temporary workaround, add this to your Gitea configuration under the [service] section
3. Audit container images - Review what private images may have been exposed
4. Rotate secrets - Any credentials, API keys, or tokens embedded in container images should be considered compromised

Organizations using Forgejo should monitor for an equivalent patch release.

Why This Matters

Self-hosted Git platforms remain popular precisely because organizations want control over their source code and build artifacts. But that control comes with responsibility. When a vulnerability like this goes unnoticed for four years, it raises uncomfortable questions about security testing in open-source infrastructure projects.

Container images often contain more than just application code. Build processes frequently embed database credentials, cloud provider keys, and internal service tokens. An attacker with access to private images could pivot to production infrastructure or gain persistent access to CI/CD pipelines—something we've covered extensively in our supply chain attack coverage.

The 30,000+ deployment figure is likely conservative. Many Gitea instances run behind corporate firewalls and wouldn't appear in internet scans, though they'd still be vulnerable to insider threats or lateral movement during a breach.

If you're running Gitea with container registry enabled, assume your private images may have been accessed and plan your remediation accordingly.