A flaw in Gitea could let outsiders download supposedly private software container images from many self-hosted code servers. NoScope says CVE-2026-27771 is an access-control bug in Gitea’s built-in container registry, also affecting Forgejo, where anonymous Docker/OCI pull requests could retrieve private images; Gitea patched it in version 1.26.2, and Shodan data suggested roughly 31,750 internet-facing instances were likely vulnerable.
Why it matters: Private container images can contain source code, credentials, and details about production systems, so this exposure could hand attackers valuable access and intelligence. Organizations running self-hosted Gitea or Forgejo should update to 1.26.2 immediately or enforce authentication for all content access if possible.
Ionut Arghire
2026.05.28
100% relevant
This article establishes a new tracked story around CVE-2026-27771, a newly reported Gitea/Forgejo container registry access-control flaw with patch availability and internet-scale exposure.
← Back to all stories