RSS

Gitea CVE-2026-27771 exposed private container images without authentication

logickkk11 pts0 comments

Blog<br>Security insights & updates<br>Updates, blog posts, analysis, and technical deep-dives

CVE-2026-27771: NoScope Discovered 30,000+ Gitea Instances Exposing Private Container Images for 4 Years

Blog<br>CVE-2026-27771: NoScope Discovered 30,000+ Gitea Instances Exposing Private Container Images for 4 Years<br>Gitea private container images were accessible to anyone on the internet, no credentials required, across healthcare, aerospace, and critical infrastructure worldwide.<br>May 25, 2026Company

TL;DR: CVE-2026-27771 allowed unauthenticated access to private container images on Gitea instances. 30,000+ deployments were affected. The flaw went undetected for 4 years. NoScope discovered and responsibly disclosed it. If you run Gitea Update to v1.26.2 immediately.

If you can't update right now, set [service].REQUIRE_SIGNIN_VIEW=true in your Gitea configuration as a temporary stopgap. Note this stopgap isn't suitable if you intentionally expose some containers publicly.

If your team runs Gitea and uses its built-in container registry, there's a question you should be asking right now: has anyone been reading your private images?

Not because you misconfigured something. Not because someone phished your credentials. Because for close to four years, Gitea's container registry has allowed any person on the internet, with no account, no password, and no prior access, to pull what would be considered private container images at first glance from affected instances as if they were public.

In April 2026, NoScope found it.

What container images actually contain

Before we get to the numbers, it's worth being specific about what's at stake.

A container image isn't just a deployable artifact. It's a complete snapshot of a running environment: the application code, its dependencies, its configuration, and very often things that should never have been packaged in the first place: database credentials, API keys, internal service endpoints, TLS certificates, hard-coded environment variables pointing at production infrastructure.

In a lot of organisations, the image is effectively a photograph of how production is wired together. Teams push them to private registries with the expectation that "private" means something. On affected Gitea instances, it didn't.

What NoScope found

The NoScope pentesting agent is an autonomous system that approaches a target with an attacker's mindset. It operates on a carefully curated methodology, refined by in-the-field experience from real pentesters, and applies that methodology systematically and effectively across the full functionality an application exposes.

That systematic coverage is what produced this finding. The flaw lives in a registry feature that, from the outside, behaves exactly as documented. There is nothing about it that draws attention on a casual look. NoScope's methodology exercises the access model from every angle the surface supports, and the gap surfaced from there.

The full impact was then confirmed by our research team in a controlled environment against a Gitea instance configured exactly as a typical maintainer would. The finding reproduced cleanly. The default configuration was sufficient to expose it.

On affected versions, the private designation on a container repository did not deliver the protection operators reasonably expected it to. Specific exploitation details are not published here. Full technical details have been shared with the Gitea maintainer team and are available alongside the official advisory at CVE-2026-27771.

At no point during this research was any private image content accessed, downloaded, or inspected from any third-party host. All research was conducted in a controlled environment.

The reach of it

Finding a vulnerability on one instance is one thing. Understanding how many people it affects is another.

Shodan was used to identify internet-facing Gitea instances carrying the platform's default identifier, a deliberately conservative approach. It only catches instances that haven't customised their public-facing presentation. Instances behind reverse proxies with custom branding, those running Forgejo or other Gitea forks, and anything Shodan hasn't indexed are all invisible to this query. The numbers below are a floor.

Shodan reported 34,144 matching hosts at the time of the work. Across a 100-host sample, 93 returned responses consistent with the issue being present on a non-invasive probe that stops well short of accessing any private content. Applied across the Shodan population, that puts a conservative floor of approximately 31,750 likely-affected instances from this one narrow query alone.

Digging into that population is where the picture gets more concerning.

It's production infrastructure, not hobby machines

A 9,500-host subset of Shodan's results was pulled for a closer look at the metadata Shodan already provides on each entry: country, hosting organisation, port configuration. The picture is unambiguous:

52% run...

gitea private container instances images noscope

Related Articles

Amazon, Facebook, FBI have access to a private intelligence-sharing network

root-parent18 ptsseattle prism shield network private intelligence

Show HN: GoPeek – open links in live mini browser windows without new tabs

GeorgeWoff2518 ptsgopeek open browser links live mini

Agent Memory: An Anatomy

brgsk17 ptsmemory library user agent semantic libraries

SpaceX not the behemoth everyone thought

kaycebasques13 pts_blockquote instagram data vars text media

Naphtha Shortages Having a Growing Impact in Japan

takakaze13 ptsnaphtha packaging products shortages calbee from
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.