Gitea Vulnerability Exposed 30,000 Deployments to Attacks
Security WeekArchived May 28, 2026✓ Full text saved
The security flaw allowed attackers to pull private container images, exposing source code, credentials, and infrastructure. The post Gitea Vulnerability Exposed 30,000 Deployments to Attacks appeared first on SecurityWeek .
Full text archived locally
✦ AI Summary· Claude Sonnet
A vulnerability in open source, self-hosted Git service Gitea could have allowed unauthenticated attackers to pull private container images from over 30,000 deployments, AI pentesting firm NoScope warns.
Tracked as CVE-2026-27771, the security flaw is described as an access control issue impacting Gitea’s built-in container registry. Forgejo, which shares the implementation, is also affected. Other Gitea-derived forks may be impacted as well.
Due to the flaw, authentication requirements were not enforced on images marked as private, and the container registry still served them in response to standard, anonymous Docker/OCI pull requests to the registry API.
The security defect lurked in Gitea’s code for approximately four years before being patched in version 1.26.2, which was released last week.
“Gitea’s container registry has allowed any person on the internet, with no account, no password, and no prior access, to pull what would be considered private container images at first glance from affected instances as if they were public,” NoScope says.
Because container images may contain sensitive information such as source code, secrets, and production infrastructure details, the impact from the bug is considerable, the security firm warns.
According to NoScope, a Shodan search uncovered over 34,000 internet-facing Gitea instances. Of these, approximately 93%, or 31,750, were likely vulnerable.
Analysis of the potentially affected deployments revealed that roughly 4,000 were production systems running on major cloud or VPS platforms. Approximately 7,000 instances, NoScope says, were running on Gitea’s default port.
“The data is unambiguous. These aren’t hobby machines. These are organisations that made a deliberate decision to self-host their development infrastructure, running it on production-grade compute, for real workloads,” the AI pentesting firm notes.
Organizations are advised to update to Gitea version 1.26.2 immediately, or to change the configuration settings to require authentication for all content access.
“Note that this setting is not suitable for instances that intentionally expose some containers publicly; operators in that situation should weigh the trade-off carefully,” NoScope says.
Related: Vulnerability in Popular Conference Software Granted Attackers a 100% Talk Acceptance Rate
Related: Open Source DockSec Uses AI to Cut Through Vulnerability Noise in Docker Images
Related: Ghost CMS Vulnerability Exploited to Hack Over 700 Websites
Related:‘Underminr’ Vulnerability Lets Attackers Hide Malicious Connections Behind Trusted Domains
WRITTEN BY
Ionut Arghire
Ionut Arghire is an international correspondent for SecurityWeek.
More from Ionut Arghire
GlassWorm Botnet Disrupted
FBI: Hackers Sending Operatives in Person to Insert USB Drives and Steal Data
CISA Urges Immediate Patching of Exploited LiteSpeed cPanel Plugin Zero-Day
Iranian APT Targets Aviation, Software Companies With Updated Tools
185,000 Likely Impacted by 7-Eleven Data Breach
Hackers Exploited KnowledgeDeliver Zero-Day for Web Shell Deployment
Admins of Bulletproof Hosting Service Used by Russian Hackers Arrested in Netherlands
266,000 Affected by Data Breach at Radiology Associates of Richmond
Latest News
New Edamame Platform Aims to Catch AI Coding Agents Going Off the Rails
Raising the Cybersecurity Stakes: Ante up for the Agentic Era
Google Unveils AI Threat Defense Platform to Fight AI-Powered Cyberattacks
UK Cyberspying Chief Calls AI ‘an Unstoppable Force’ and Warns About Russia
Vulnerability in Popular Conference Software Granted Attackers a 100% Talk Acceptance Rate
SecurityWeek to Host AI Risk Summit August 11-12 at the Ritz-Carlton, Half Moon Bay
RevEng.AI Raises $15 Million to Hunt for Flaws and Backdoors in Software Binaries
Romanian Hacker Sentenced to Prison in US for Selling Access to State Network
Trending
Virtual Event: Threat Detection And Incident Response Summit
On-Demand
Delve into big-picture strategies to reduce attack surfaces, improve patch management, conduct post-incident forensics, and tools and tricks needed in a modern organization.
Register
Webinar: Third-Party Risk In Practice
June 4, 2026
Organizations are investing heavily in third-party risk management, but breaches, delays, and blind spots continue to persist. Join this live webinar as we examine the gap between how organizations think their third-party risk programs are performing and what’s actually happening in practice.
Register
People on the Move
Joe Chen has become Chief Technology Officer at Trellix.
Usercentrics has named Pawan Hegde as COO and Elena Ignatova as CPTO.
SecureAuth has named Mark van Oppen as Chief Revenue Officer.
More People On The Move
Expert Insights
Raising The Cybersecurity Stakes: Ante Up For The Agentic Era
CISOs are now facing machine-speed attacks and asking, “How do I agent?” The industry must provide remediation at scale. (Nadir Izrael)
Caught Off Guard: Securing AI After It Hits Production
As enterprises rush AI projects into production, security teams are increasingly being forced into reactive mode. (Joshua Goldfarb)
Cyber Resilience Is The New Business Continuity Plan
The organizations best prepared to face disruption are those that align security, continuity and risk management around what the business cannot afford to lose. (Steve Durbin)
Enhancing Data Center Security Without Sacrificing Performance
For AI data centers, where the stakes are the highest and performance constraints are the tightest, security and performance are no longer a zero-sum game. (Nadir Izrael)
Is The SOC Obsolete, And We Just Haven’t Admitted It Yet?
Many AI-first enterprises have already embraced sovereign architectures for general AI initiatives; cybersecurity—and the SOC—should be next. (Danelle Au)
Flipboard
Reddit
Whatsapp
Email