A significant security flaw in Gitea, an open source, self-managed Git service, has put over 30,000 deployments at risk by allowing unauthorized access to private container images. This critical issue was identified by AI pentesting firm NoScope.
Details of the Vulnerability
The vulnerability, cataloged as CVE-2026-27771, involves an access control problem within Gitea’s integrated container registry. The flaw extends to Forgejo, which shares the same implementation, and potentially affects other Gitea-based forks.
The issue stems from the lack of enforced authentication on supposedly private images, allowing them to be accessed via standard, anonymous Docker/OCI pull requests through the registry API.
Impact and Discovery
This vulnerability persisted in Gitea’s codebase for nearly four years before being addressed in version 1.26.2, released last week. According to NoScope, Gitea’s container registry inadvertently permitted anyone online, without any credentials, to access what should have been private container images.
The potential exposure of sensitive data, including source code and infrastructure details, makes this flaw particularly concerning. NoScope’s analysis via Shodan revealed over 34,000 Gitea instances online, with approximately 93%—or 31,750—likely being susceptible to this security issue.
Recommendations and Precautions
Among the vulnerable instances, around 4,000 operated as production systems on major cloud or VPS platforms, and approximately 7,000 utilized Gitea’s default port. These figures highlight that the affected systems are not just hobbyist setups but belong to organizations intentionally self-hosting their development environments.
To mitigate this risk, organizations are urged to upgrade to Gitea version 1.26.2 without delay or adjust configuration settings to require authentication for all access. However, operators who intentionally expose some containers must consider the trade-offs involved.
In light of this incident, it is crucial for organizations to reassess their security measures and ensure robust authentication protocols are in place to protect sensitive data within their container registries.
