CVE-2026-27771

Gitea · Gitea Open Source Git Server

An unauthenticated access vulnerability in the Gitea and Forgejo container registry allows remote attackers to pull private container images due to missing authentication checks.

Executive summary

A critical unauthenticated access vulnerability in the Gitea container registry allows remote attackers to exfiltrate private images, potentially exposing sensitive credentials and source code.

Vulnerability

This is an unauthenticated access vulnerability in the container registry component. Remote attackers can pull private container images because the software fails to perform mandatory authentication checks before serving registry data.

Business impact

With a CVSS score of 8.2, this vulnerability is highly severe as it facilitates the unauthorized exposure of proprietary source code, API keys, and database credentials stored within container images. This exposure provides attackers with the necessary intelligence to escalate access, leading to broader infrastructure compromise and potential data breaches.

Remediation

Immediate Action: Update Gitea or Forgejo to version 1.26.2 or later immediately to enforce proper authentication on the container registry.

Proactive Monitoring: Audit access logs for the container registry to identify unusual pull requests or unauthorized attempts to access sensitive container images.

Compensating Controls: If an immediate update is not feasible, restrict network access to the Gitea/Forgejo registry service to trusted internal IP ranges using a firewall or WAF.

Exploitation status

Public Exploit Available: true

Analyst recommendation

This vulnerability is critical due to the availability of public exploits and the potential for massive data exposure. Administrators must treat this as a top-priority security event and apply the 1.26.2 update across all affected deployments to prevent unauthorized data exfiltration.