Cybersecurity researchers have disclosed a critical authentication flaw in Gitea, the popular open-source, self-hosted version-control platform, that let unauthenticated remote attackers pull private container images from affected deployments without any credentials. The flaw, tracked as CVE-2026-27771, was disclosed publicly on May 27, 2026 and impacts all versions of Gitea prior to 1.26.2.
What the vulnerability does
According to U.K.-based security firm Noscope, which reported the issue, Gitea's container registry treated images marked as private in a way that did not actually enforce that designation at the API layer. Anyone on the internet, with no account and no password, could pull what would normally be considered private container images as if they were public.
"On affected versions, the private designation on a container repository did not deliver the protection operators reasonably expected it to," Noscope said in its disclosure. The bug had reportedly gone undetected for close to four years.
30,000 deployments across 30+ countries
Noscope's scans estimate that the vulnerability impacts more than 30,000 deployments across more than 30 countries. The largest concentrations of exposed instances are in China, the United States, Germany, France and the United Kingdom. The company says affected organizations span healthcare providers, aerospace manufacturers, retail infrastructure operators and internet service providers — sectors where container images can contain proprietary code, secrets, signing keys or pre-built deployment configurations.
Any fork of Gitea should be treated as potentially impacted until independently verified. In its own testing, Noscope confirmed that Forgejo, a community-maintained Gitea fork, is also affected by the issue.
How to patch and mitigate
Gitea has shipped a fix in version 1.26.2, and administrators are urged to upgrade immediately. For deployments where an upgrade is not yet possible, Noscope recommends setting [service].REQUIRE_SIGNIN_VIEW=true in the Gitea configuration as a temporary workaround. The trade-off: that setting will also block any container images that the operator intentionally wants to expose to the public.
Because the vulnerability allows silent, credential-less reads, log evidence of past abuse may be limited. Security teams should treat any private container repositories on unpatched Gitea instances as potentially exposed and assume secrets, credentials or proprietary code committed inside those images may have been pulled.
Part of a broader supply-chain pattern
The Gitea disclosure lands during an unusually intense stretch of source-code and container ecosystem incidents. Recent weeks have seen a 3,800-repository breach at GitHub via a malicious VS Code extension, a Drupal core SQL injection flaw added to CISA's exploited list, and the takedown of the first major VPN cybercrime service. Together, the events highlight how attackers are increasingly targeting the developer toolchain itself rather than just runtime systems.
For organizations running self-hosted Git platforms, the Gitea incident is a reminder that container registries embedded in code-hosting tools deserve the same scrutiny as standalone registries — and that the "private" flag is only as strong as the code enforcing it.
Reporting based on coverage from The Hacker News and Noscope's public disclosure.