A security flaw in Gitea allows remote attackers to retrieve private container images from affected self-hosted deployments without any account, password, or other credentials. The issue is tracked as CVE-2026-27771 and affects all Gitea versions prior to 1.26.2, which contains the fix. The impact is estimated to involve more than 30,000 deployments across over 30 countries, with most exposures in China, the U.S., Germany, France, and the U.K. Organizations potentially affected include healthcare providers, aerospace manufacturers, retail infrastructure operators, and internet service providers. Forks of Gitea may also be impacted until independently verified, and Forgejo has been confirmed vulnerable. Users should update to 1.6.2 for protection or set [service].REQUIRE_SIGNIN_VIEW=true as a temporary workaround.
"On affected versions, the private designation on a container repository did not deliver the protection operators reasonably expected it to."
"Gitea's container registry has allowed any person on the internet, with no account, no password, and no prior access, to pull what would be considered private container images at first glance from affected instances as if they were public."
"The vulnerability, tracked as CVE-2026-27771 (CVSS score: N/A), affects all versions of Gitea prior to 1.26.2, which addresses the issue."
"The U.K.-based security company also pointed out any fork of Gitea should be treated as potentially impacted by the vulnerability until it's been independently verified by the respective maintainers. In its own testing, Forgejo has been confirmed to be impacted."
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]