Gitea Vulnerability Exposes Private Container Images without Authentication

A security vulnerability in Gitea allows unauthenticated attackers to download private container images without any credentials. CVE-2026-27771 affects all versions of Gitea before 1.26.2.

The flaw enables remote attackers to pull private container images directly from affected Gitea deployments. No account, password, or authentication token is required to exploit this vulnerability. This means any attacker with network access to a vulnerable Gitea instance can retrieve container images an organisation intended to keep private.

Container images often contain application source code, dependencies, configuration details, and other sensitive intellectual property. Exposing these images to unauthenticated access creates a direct pathway for threat actors to conduct reconnaissance, identify vulnerabilities in custom applications, or steal proprietary code.

Organisations running self-hosted Gitea instances should treat this as a priority remediation. The vulnerability affects the container registry functionality that Gitea provides as part of its broader version control platform. Gitea users who also rely on Gitea as a container registry need to upgrade immediately to version 1.26.2 or later.

The lack of assigned CVSS score in current reporting suggests either ongoing analysis or coordination delays, though the severity is evident. Unauthenticated access to private artifacts represents a critical security boundary violation.

Administrators should audit their Gitea deployments to identify if they have been accessed by unauthorised users since deployment. Container images stored in affected instances should be considered potentially compromised. Organisations should also rotate any secrets or credentials contained within those images.

Gitea maintainers have released the patched version. No active exploitation has been publicly documented at the time of disclosure, but the simplicity of the attack vector means exploitation likely occurs in the wild shortly after public announcement. Prioritise patching production instances within days, not weeks.