A security flaw in open-source code hosting platform Gitea let unauthenticated remote attackers pull private container images from affected self-hosted deployments, according to a technical analysis by Noscope. The issue, tracked as CVE-2026-27771, affects all versions before 1.26.2 and may have impacted more than 30,000 deployments across over 30 countries.
KEY FACTS
- Impact Private container images could be downloaded without an account or password.
- Affected versions All Gitea releases before 1.26.2 are listed as vulnerable.
- Scope Noscope said the exposure likely covered more than 30,000 deployments in multiple countries.
- Workaround Administrators can set REQUIRE_SIGNIN_VIEW=true in the configuration.
The report said the flaw went undetected for close to four years and that most exposed deployments were in China, the U.S., Germany, France and the U.K. Affected organizations included healthcare providers, aerospace manufacturers, retail infrastructure and internet service providers.
On affected versions, a repository marked private did not provide the protection operators expected. The container registry allowed any internet user to pull images that appeared private, with no prior access required.
Gitea users are advised to update to version 1.26.2. If patching is not possible right away, the temporary configuration change can reduce exposure, although the report noted that it is not ideal for containers meant to be public.
The disclosure also said forks of Gitea should be treated as potentially affected until their maintainers verify otherwise. Forgejo has already been confirmed impacted in testing, and no further technical details have been released.
WHY IT MATTERS
Container images can contain application code, configuration data and other sensitive assets, so unintended access can create security and supply chain risks. The issue affects self-hosted deployments that rely on private registries, making prompt patching and access control reviews important.