Gitea Container Registry Vulnerability Could Lead to Private Image Exposure

A critical vulnerability (CVE-2026-27771) in Gitea’s built-in container registry permits unauthenticated remote attackers to pull private container images, potentially exposing source code, secrets, and infrastructure configurations. The flaw affects all Gitea versions before 1.26.2 and Forgejo instances using the same registry implementation, with researchers estimating roughly 31,750 vulnerable internet-facing instances across multiple countries; administrators are advised to upgrade immediately, enable REQUIRE_SIGNIN_VIEW as a temporary mitigation, audit logs, rotate exposed credentials, and review CI/CD pipelines.