CVE-2026-27771: Gitea Vulnerability Allows Unauthenticated Pull of Private Container Images
Patch: Upgrade Gitea to version 1.26.2 or later to fix CVE‑2026‑27771 and prevent unauthenticated pull of private container images.
Patch: Upgrade Gitea to version 1.26.2 or later immediately.
Summary
An unauthenticated remote vulnerability, CVE‑2026‑27771, has been disclosed in Gitea, the open‑source self‑hosted version control platform. The flaw, rated CVSS 8.2, permits attackers to pull private container images from Gitea deployments without any credentials. All versions of Gitea prior to 1.26.2 are affected, making the issue widespread across installations. The vulnerability can be exploited by sending a crafted HTTP request to the container registry endpoint, bypassing authentication checks. Attackers could use the stolen images to host malicious code or exfiltrate data. Gitea has released version 1.26.2, which removes the insecure registry endpoint and enforces authentication. Administrators should upgrade immediately to mitigate the risk. The incident underscores the importance of keeping self‑hosted platforms up to date and monitoring registry access logs.
Key changes
- CVE‑2026‑27771 allows unauthenticated pull of private container images
- CVSS score 8.2 indicates high severity
- All Gitea versions <1.26.2 are affected
- Exploit uses crafted HTTP request to registry endpoint
- Attackers can host malicious code or exfiltrate data
- Gitea 1.26.2 removes insecure registry endpoint
- Upgrade required to mitigate risk
- Administrators should monitor registry access logs