CVE-2026-27771 is an access control vulnerability in Gitea’s built-in container registry that allowed unauthenticated attackers to pull container images labeled as private. Authentication was not enforced for images marked private, and the registry still served them in response to standard anonymous Docker/OCI pull requests to the registry API. Forgejo, which shares the same implementation, was also affected, and other Gitea-derived forks may be impacted. The flaw existed for about four years before being fixed in Gitea version 1.26.2. NoScope identified over 34,000 internet-facing Gitea instances, with about 31,750 likely vulnerable, including thousands of production deployments. Organizations were advised to update to the patched version.
"“Gitea's container registry has allowed any person on the internet, with no account, no password, and no prior access, to pull what would be considered private container images at first glance from affected instances as if they were public,” NoScope says."
"“Due to the flaw, authentication requirements were not enforced on images marked as private, and the container registry still served them in response to standard, anonymous Docker/OCI pull requests to the registry API.”"
"“Tracked as CVE-2026-27771, the security flaw is described as an access control issue impacting Gitea's built-in container registry. Forgejo, which shares the implementation, is also affected. Other Gitea-derived forks may be impacted as well.”"
"“According to NoScope, a Shodan search uncovered over 34,000 internet-facing Gitea instances. Of these, approximately 93%, or 31,750, were likely vulnerable. Analysis of the potentially affected deployments revealed that roughly 4,000 were production systems running on major cloud or VPS platforms.”"
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]