PT-2026-43391 · Gitea · Gitea

Devnoscope

·

Published

2026-04-19

·

Updated

2026-07-11

·

CVE-2026-27771

CVSS v3.1

8.2

High

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Name of the Vulnerable Software and Affected Versions Gitea versions prior to 1.26.2 Forgejo versions prior to 1.26.2
Description A critical access control issue in the container registry allows unauthenticated remote attackers to pull private container images without credentials. The system failed to properly enforce the private flag, causing the registry to provide images in response to standard anonymous Docker/OCI merge requests via the registry API. This flaw existed for approximately four years and potentially affected over 30,000 deployments worldwide, including roughly 4,000 production systems on major cloud platforms. Exploitation could lead to the exposure of sensitive information, such as source code, secrets, and infrastructure details.
Recommendations Update to version 1.26.2 or later. As a temporary workaround, enable REQUIRE SIGNIN VIEW to enforce authentication for all content access.

Exploit

Fix

Missing Authorization

Missing Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

BDU:2026-07479
CVE-2026-27771
GHSA-8QW8-RQ86-9PC2

Affected Products

Gitea