Perceptive Security
SOC/SIEM Consultancy
Gitea Vulnerability Exposes Private Container Images without Authentication
Published:
27 May 2026 at 10:06:32
Alert date:
27 May 2026 at 12:04:12
Source:
thehackernews.com
Web Technologies, Supply Chain & Dependencies, Zero-Day Vulnerabilities
A critical vulnerability in Gitea (CVE-2026-27771) allows unauthenticated remote attackers to pull private container images without credentials. The flaw affects all Gitea versions prior to 1.26.2, exposing private repositories on self-hosted Gitea deployments. Attackers can access sensitive container images that should require authentication, potentially leading to unauthorized access to proprietary code and intellectual property.
Technical details
A security flaw in Gitea allows unauthenticated remote attackers to pull private container images from Gitea deployments without requiring an account, password, or other credentials. The vulnerability affects Gitea's container registry where the private designation on a container repository did not deliver the protection operators reasonably expected. The issue went undetected for close to four years and impacts more than 30,000 deployments across over 30 countries.
Mitigation steps:
Update to Gitea version 1.26.2 for optimal protection
If patching is not immediate option, set [service].REQUIRE_SIGNIN_VIEW=true in the Gitea configuration as temporary workaround
Verify impact status for any Gitea forks with respective maintainers
Affected products:
Gitea (all versions prior to 1.26.2)
Forgejo (confirmed impacted fork)
Any fork of Gitea (potentially impacted)
Related links:
https://blog.gitea.com/release-of-1.26.2/
https://www.noscope.com/blog/gitea-instances-exposing-private-container
Related CVE's:
Related threat actors:
IOC's:
This article was created with the assistance of AI technology by Perceptive.