Cybersecurity researchers have disclosed a security flaw in Gitea, an open-source, self-hosted platform for version control, that allows unauthenticated remote attackers to pull private container images from Gitea deployments without requiring an account, password, or other credentials.
The vulnerability, tracked as CVE-2026-27771 (CVSS score: 8.2), affects all versions of Gitea prior to 1.26.2, which addresses the issue.
According to Noscope, the security defect likely impacts more than 30,000 deployments across over 30 countries and went undetected for close to four years. The vast majority of the exposures are in China, the U.S., Germany, France, and the U.K. Affected organizations span healthcare providers, aerospace manufacturers, retail infrastructure, and internet service providers.
“On affected versions, the private designation on a container repository did not deliver the protection operators reasonably expected it to,” Noscope said.
“Gitea’s container registry has allowed any person on the internet, with no account, no password, and no prior access, to pull what would be considered private container images at first glance from affected instances as if they were public.”
The U.K.-based security company also pointed out any fork of Gitea should be treated as potentially impacted by the vulnerability until it’s been independently verified by the respective maintainers. In its own testing, Forgejo has been confirmed to be impacted.
No additional technical details related to CVE-2026-27771 are currently available. In a statement shared with The Hacker News, Noscope co-founder Keval Jagani said the specifics have been intentionally held back to give the “broader Gitea ecosystem time to patch.”
Gitea users are advised to update to version 1.6.2 for optimal protection. If patching is not an immediate option, a temporary workaround is to set [service].REQUIRE_SIGNIN_VIEW=true in the Gitea configuration. However, it’s worth noting that this approach isn’t ideal if some containers are meant to be intentionally exposed publicly.
(The story was updated after publication to include a response from Noscope.)
