PT-2026-43391 · Gitea · Gitea
Devnoscope
·
Published
2026-04-19
·
Updated
2026-07-11
·
CVE-2026-27771
CVSS v3.1
8.2
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Gitea versions prior to 1.26.2
Forgejo versions prior to 1.26.2
Description
A critical access control issue in the container registry allows unauthenticated remote attackers to pull private container images without credentials. The system failed to properly enforce the private flag, causing the registry to provide images in response to standard anonymous Docker/OCI merge requests via the registry API. This flaw existed for approximately four years and potentially affected over 30,000 deployments worldwide, including roughly 4,000 production systems on major cloud platforms. Exploitation could lead to the exposure of sensitive information, such as source code, secrets, and infrastructure details.
Recommendations
Update to version 1.26.2 or later.
As a temporary workaround, enable
REQUIRE SIGNIN VIEW to enforce authentication for all content access.Exploit
Fix
Missing Authorization
Missing Authentication
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Gitea