Gitea Vulnerability Exposes Private Container Images without Authentication

A critical security vulnerability in Gitea (CVE-2026-27771) allows unauthenticated attackers to pull private container images without credentials.

• •The vulnerability affects all Gitea versions prior to 1.26.2 and has remained undetected for approximately four years.
• •Over 30,000 deployments across 30+ countries are impacted, including organizations in healthcare, aerospace, retail, and ISP sectors.
• •The private designation on container repositories failed to provide expected protection, exposing sensitive container images.
• •Gitea users should upgrade to version 1.26.2 immediately, or configure REQUIRE_SIGNIN_VIEW=true as a temporary workaround.
• •Forgejo, a Gitea fork, has also been confirmed as impacted by this vulnerability.