Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: forgejo (1 article)Clear

Gitea CVE-2026-27771 (CVSS 8.2) lets unauthenticated attackers pull private container images - ~30,000 deployments exposed for four years, Forgejo affected

Noscope has disclosed CVE-2026-27771 (CVSS 8.2), a flaw in the self-hosted Gitea version-control platform that lets unauthenticated remote attackers pull private container images with no account, password, or prior access. The 'private' designation on a container repository simply failed to enforce. It affects all Gitea versions before 1.26.2 and went undetected for nearly four years; Noscope estimates 30,000+ exposed deployments across 30+ countries, with most exposure in China, the US, Germany, France, and the UK, spanning healthcare, aerospace, retail, and ISPs. Forgejo is confirmed affected, and any Gitea fork should be treated as vulnerable until verified. Technical details were withheld to allow patching.

Check
Inventory self-hosted Gitea and Forgejo instances and confirm version. Check whether the container registry is internet-exposed. Review registry pull logs for unauthenticated access to private images.
Affected
All Gitea versions before 1.26.2 and confirmed-affected Forgejo, plus unverified Gitea forks. ~30,000 exposed deployments across 30+ countries in healthcare, aerospace, retail, and ISP sectors.
Fix
Upgrade Gitea to 1.26.2 immediately. Temporary workaround: set [service].REQUIRE_SIGNIN_VIEW=true (unsuitable if some containers must stay public). Rotate any secrets baked into exposed private images.