Cybersecurity researchers have revealed a security flaw in Gitea, an open source self-hosted platform for version control. This flaw allows an unauthenticated, remote attacker to obtain private container images from a Gitea deployment without requiring an account, password, or other credentials.
This vulnerability is tracked as CVE-2026-27771 (CVSS score: N/A) and affects all versions of Gitea prior to 1.26.2 that address the issue.
According to Noscope, the security flaw potentially affected more than 30,000 deployments in more than 30 countries and went undetected for nearly four years. The majority of exposures occur in China, the United States, Germany, France, and the United Kingdom. Affected organizations include healthcare providers, aerospace manufacturers, retail infrastructure, and internet service providers.
“In the affected versions, the private designation of container repositories did not provide the functionality that protection providers reasonably expected,” Noscope said.
“Gitea’s container registry allows anyone on the Internet to pull seemingly private container images from affected instances as if they were public, without an account, password, or prior access.”
The UK-based security firm also noted that forks of Gitea should be treated as potentially vulnerable until they are independently verified by their respective maintainers. Independent testing has confirmed that Forgejo is affected. There are no additional technical details available at this time.
For optimal protection, we recommend that Gitea users update to version 1.6.2. If the patch cannot be applied immediately, here is a temporary workaround: [service].REQUIRE_SIGNIN_VIEW=true in Gitea configuration. However, note that this approach is not ideal if you intend to expose some containers intentionally.
Source link
