Critical Gitea flaw exposed 30,000 private container repositories to unauthenticated access

Cybersecurity researchers at Noscope have disclosed a critical authentication bypass vulnerability in Gitea, the widely-used self-hosted Git platform, that allowed unauthenticated attackers to download private container images from affected installations. The flaw, tracked as CVE-2026-27771, affects all Gitea versions prior to 1.26.2 and went undetected for nearly four years.

Gitea is an open-source alternative to GitHub, deployed by organizations that want to keep their source code and build artifacts within their own infrastructure rather than on public cloud platforms. Its container registry feature — used to store Docker and OCI images — was the component affected.

What the vulnerability allowed

The flaw represents a fundamental failure of access control in Gitea's container registry. An attacker with nothing more than an internet connection could send unauthenticated requests to pull private container images — images that repository owners explicitly configured as private. No account, no credentials, and no prior authorization were required.

Container images can contain sensitive material: proprietary application code, internal tooling, deployment configurations, environment variables, and embedded secrets. Private images are specifically intended to restrict access to authorized parties. The vulnerability made that designation meaningless for any Gitea deployment running an affected version.

Scale of exposure

Noscope's research identified more than 30,000 Gitea deployments across 30+ countries that were affected, with the highest concentrations in China, the United States, Germany, France, and the United Kingdom. The affected organizations span healthcare providers, aerospace manufacturers, retail infrastructure operators, and internet service providers.

The nearly four-year exposure window is particularly concerning. Any threat actor that discovered or purchased knowledge of this flaw during that period could have been quietly exfiltrating private container images without triggering standard intrusion detection systems — there are no failed authentication attempts to log when authentication is bypassed entirely.

Immediate mitigation and patching

Organizations running Gitea should upgrade to version 1.26.2 immediately. For deployments where immediate patching is not possible, a temporary mitigation is available: setting REQUIRE_SIGNIN_VIEW=true in the [service] section of Gitea's configuration file forces all registry access to require authentication. Note that this setting will also affect any intentionally public repositories.

Forgejo, the actively maintained community fork of Gitea, is also affected by the same vulnerability. Organizations using Forgejo should monitor that project's security advisories for a corresponding patch release and apply it promptly.

Broader context

Self-hosted Git infrastructure has become an increasingly attractive target as organizations have moved sensitive development work away from public cloud platforms. Unlike managed services that receive automatic security updates, self-hosted platforms require organizations to manage patching themselves — a responsibility that, as this vulnerability demonstrates, can result in years of exposure when patch management practices are inconsistent.

The four-year window before disclosure also raises questions about how many organizations conduct security audits of their self-hosted development infrastructure. Container registries are critical components of modern software supply chains; a breach of private images is a breach of the software artifacts that get deployed to production systems.

Source: The Hacker News / Noscope Security Research, May 27, 2026