Full Report
Cybersecurity researchers have disclosed a security flaw in Gitea, an open-source, self-hosted platform for version control, that allows unauthenticated remote attackers to pull private container images from Gitea deployments without requiring an account, password, or other credentials. The vulnerability, tracked as CVE-2026-27771 (CVSS score: N/A), affects all versions of Gitea prior to 1.26.2
Analysis Summary
# Vulnerability: Unauthenticated Private Container Image Disclosure in Gitea
## CVE Details
- **CVE ID**: CVE-2026-27771
- **CVSS Score**: N/A (Not yet assigned, but involves unauthenticated access to private data)
- **CWE**: Improper Authentication / Missing Authorization
## Affected Systems
- **Products**: Gitea (and downstream forks such as Forgejo)
- **Versions**: All versions prior to Gitea 1.26.2
- **Configurations**: Deployments utilizing the internal container registry for private images.
## Vulnerability Description
A flaw in Gitea's container registry implementation fails to properly enforce "private" visibility designations. The vulnerability allows the registry to treat pull requests for private images as public requests. Consequently, any remote individual can pull container images from an affected instance without providing a username, password, or API token, circumventing the intended access control policies.
## Exploitation
- **Status**: Discovered by researchers (Noscope); likely impacts ~30,000 deployments. No confirmed reports of malicious exploitation in the wild provided in the initial disclosure.
- **Complexity**: Low (Requires no credentials or special access).
- **Attack Vector**: Network (Remote)
## Impact
- **Confidentiality**: High (Private container images often contain proprietary source code, hardcoded configuration, or sensitive metadata).
- **Integrity**: None (The flaw currently describes unauthorized "pull" access, not "push" or modification).
- **Availability**: None
## Remediation
### Patches
- **Gitea**: Upgrade to version **1.26.2** or later.
- **Forgejo**: Users should monitor Forgejo releases for a corresponding fix, as the fork is confirmed to be impacted.
### Workarounds
- Enable mandatory sign-in for the entire instance by setting `REQUIRE_SIGNIN_VIEW = true` under the `[service]` section of the Gitea configuration file (`app.ini`).
- *Note*: This workaround may impact usability if the instance is intended to host public repositories or containers alongside private ones.
## Detection
- **Indicators of Compromise**: Monitor Gitea access logs or container registry logs for unexpected `docker pull` or `GET` requests to container paths originating from unknown/unauthenticated IP addresses.
- **Detection methods**: Security teams can verify vulnerability by attempting to pull a known "private" image from their deployment using an unauthenticated client (e.g., `docker logout <instance_url>` followed by a pull attempt).
## References
- **Gitea Release Notes**: hxxps://blog.gitea[.]com/release-of-1.26.2/
- **Noscope Research**: hxxps://www.noscope[.]com/blog/gitea-instances-exposing-private-container
- **News Source**: hxxps://thehackernews[.]com/2026/05/gitea-vulnerability-exposes-private.html