Critical Gitea Container Registry Flaw Exposes Private Images to Unauthenticated Attackers A severe security vulnerability in Gitea’s built-in container registry (CVE-2026-27771) allows unauthenticated attackers to access and download private container images, posing major risks to self-hosted Git and CI/CD environments. The flaw stems from improper access control enforcement in the registry endpoint, enabling attackers to bypass authentication and retrieve image manifests and layers via standard Docker or OCI pull requests. The impact is significant, as exposed container images often contain sensitive data including proprietary code, API keys, database credentials, and cloud access tokens. Unauthorized access could lead to infrastructure mapping, privilege escalation, lateral movement, or full system compromise. Worst-case scenarios include data breaches or complete infrastructure takeover. All Gitea versions prior to 1.26.2 are affected, along with Forgejo, a widely used fork sharing the same registry implementation. Researchers estimate over 31,000 internet-facing Gitea instances spanning healthcare, aerospace, retail, and enterprise sectors are potentially vulnerable, many hosted on major cloud platforms. Discovered in April 2026 by NoScope, an autonomous penetration testing agent, the flaw went undetected for nearly four years. While no active exploitation has been observed, security firm Orca Security warns of its high risk due to its simplicity and lack of authentication requirements. Gitea released a patch in version 1.26.2. As a temporary workaround, administrators can enforce authentication via the `REQUIRE_SIGNIN_VIEW` setting, though this may disrupt public access. Security teams are advised to audit logs for unauthorized pulls and rotate exposed credentials. Organizations using Gitea for container storage or CI/CD workflows should prioritize remediation to mitigate potential exposure.