CVE-2026-27771 is an access control vulnerability in Gitea's built-in container registry that allowed anonymous Docker/OCI pull requests to retrieve private container images without authentication. The flaw persisted for about four years and affected Gitea, Forgejo, and potentially other forks. Approximately 93% of over 34,000 internet-facing Gitea instances were vulnerable, including thousands of production deployments. The issue was resolved in Gitea version 1.26.2 by enforcing authentication for private images or allowing configuration changes to require authentication. The vulnerability exposed sensitive information contained in container images, such as source code and credentials.

The vulnerability enabled unauthenticated attackers to access private container images, potentially exposing sensitive source code, credentials, and infrastructure information. This exposure could lead to information disclosure that may aid further attacks or compromise. Over 30,000 Gitea deployments were affected, including approximately 4,000 production systems on major cloud or VPS platforms. However, there is no indication that the vulnerability has been exploited in the wild.

A fix is available in Gitea version 1.26.2, which patches the vulnerability by enforcing authentication for private container images. Organizations should update to this version immediately. Alternatively, operators can change configuration settings to require authentication for all content access, but this may not be suitable for instances intentionally exposing some containers publicly. NoScope recommends weighing the trade-offs carefully in such cases.