Gitea CVE-2026-27771 exposed private container images without authentication
A vulnerability identified as CVE-2026-27771 allowed unauthenticated access to private container images on Gitea instances for nearly four years. Over 30,000 deployments were affected, raising concerns about the exposure of sensitive information. Users are urged to update to the latest version or implement a temporary configuration change to mitigate the risk.
- ▪CVE-2026-27771 exposed private container images on Gitea instances without authentication.
- ▪The flaw went undetected for four years and affected over 30,000 deployments.
- ▪Users are advised to update to Gitea v1.26.2 or set a temporary configuration to protect their images.
Opening excerpt (first ~120 words) tap to expand
TL;DR: CVE-2026-27771 allowed unauthenticated access to private container images on Gitea instances. 30,000+ deployments were affected. The flaw went undetected for 4 years. NoScope discovered and responsibly disclosed it. If you run Gitea Update to v1.26.2 immediately. If you can't update right now, set [service].REQUIRE_SIGNIN_VIEW=true in your Gitea configuration as a temporary stopgap. Note this stopgap isn't suitable if you intentionally expose some containers publicly. If your team runs Gitea and uses its built-in container registry, there's a question you should be asking right now: has anyone been reading your private images? Not because you misconfigured something. Not because someone phished your credentials.
…
Excerpt limited to ~120 words for fair-use compliance. The full article is at NoScope.
Discussion
0 commentsMore from NoScope
