Critical Gitea Container Registry Flaw Exposes Private Images to Unauthenticated Attackers
A severe security vulnerability in Gitea’s built-in container registry (CVE-2026-27771) allows unauthenticated attackers to access and download private container images, posing major risks to self-hosted Git and CI/CD environments. The flaw stems from improper access control enforcement in the registry endpoint, enabling attackers to bypass authentication and retrieve image manifests and layers via standard Docker or OCI pull requests.
The impact is significant, as exposed container images often contain sensitive data including proprietary code, API keys, database credentials, and cloud access tokens. Unauthorized access could lead to infrastructure mapping, privilege escalation, lateral movement, or full system compromise. Worst-case scenarios include data breaches or complete infrastructure takeover.
All Gitea versions prior to 1.26.2 are affected, along with Forgejo, a widely used fork sharing the same registry implementation. Researchers estimate over 31,000 internet-facing Gitea instances spanning healthcare, aerospace, retail, and enterprise sectors are potentially vulnerable, many hosted on major cloud platforms.
Discovered in April 2026 by NoScope, an autonomous penetration testing agent, the flaw went undetected for nearly four years. While no active exploitation has been observed, security firm Orca Security warns of its high risk due to its simplicity and lack of authentication requirements.
Gitea released a patch in version 1.26.2. As a temporary workaround, administrators can enforce authentication via the REQUIRE_SIGNIN_VIEW setting, though this may disrupt public access. Security teams are advised to audit logs for unauthorized pulls and rotate exposed credentials. Organizations using Gitea for container storage or CI/CD workflows should prioritize remediation to mitigate potential exposure.
Source: https://cybersecuritynews.com/gitea-container-vulnerability/
AniNIX cybersecurity rating report: https://www.rankiteo.com/company/aninix
OpenCommit Foundation cybersecurity rating report: https://www.rankiteo.com/company/stichting-opencommit
"id": "ANISTI1779971086",
"linkid": "aninix, stichting-opencommit",
"type": "Vulnerability",
"date": "4/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': 'Over 31,000 internet-facing '
'instances',
'industry': 'Technology',
'name': 'Gitea',
'type': 'Software Provider'},
{'industry': 'Technology',
'name': 'Forgejo',
'type': 'Software Provider'}],
'attack_vector': 'Improper Access Control',
'data_breach': {'file_types_exposed': 'Docker/OCI image manifests and layers',
'sensitivity_of_data': 'High',
'type_of_data_compromised': 'Container images (proprietary '
'code, API keys, database '
'credentials, cloud access '
'tokens)'},
'date_detected': '2026-04',
'description': 'A severe security vulnerability in Gitea’s built-in container '
'registry (CVE-2026-27771) allows unauthenticated attackers to '
'access and download private container images, posing major '
'risks to self-hosted Git and CI/CD environments. The flaw '
'stems from improper access control enforcement in the '
'registry endpoint, enabling attackers to bypass '
'authentication and retrieve image manifests and layers via '
'standard Docker or OCI pull requests.',
'impact': {'data_compromised': 'Proprietary code, API keys, database '
'credentials, cloud access tokens',
'operational_impact': 'Infrastructure mapping, privilege '
'escalation, lateral movement, full system '
'compromise',
'systems_affected': 'Gitea container registry, Forgejo container '
'registry'},
'post_incident_analysis': {'corrective_actions': 'Patch released (Gitea '
'1.26.2), temporary '
'workaround via '
'`REQUIRE_SIGNIN_VIEW` '
'setting',
'root_causes': 'Improper access control '
'enforcement in the registry '
'endpoint'},
'recommendations': 'Prioritize remediation for organizations using '
'Gitea/Forgejo for container storage or CI/CD workflows, '
'enforce authentication, audit logs, and rotate exposed '
'credentials.',
'references': [{'source': 'NoScope'}, {'source': 'Orca Security'}],
'response': {'containment_measures': 'Patch released (Gitea 1.26.2), '
'temporary workaround via '
'`REQUIRE_SIGNIN_VIEW` setting',
'remediation_measures': 'Audit logs for unauthorized pulls, '
'rotate exposed credentials',
'third_party_assistance': 'Orca Security'},
'title': 'Critical Gitea Container Registry Flaw Exposes Private Images to '
'Unauthenticated Attackers',
'type': 'Data Exposure',
'vulnerability_exploited': 'CVE-2026-27771'}