Unauthenticated Remote Attackers Can Pull Private Container Images from Gitea (CVE‑2026‑27771)
What It Is — A remote, unauthenticated vulnerability in the open‑source Gitea platform (CVE‑2026‑27771) that allows an attacker to retrieve private container images hosted on a Gitea instance without any credentials.
Exploitability — The flaw can be triggered with a single HTTP request; no proof‑of‑concept code is required. No CVSS score has been published yet, but the confidentiality impact is high because proprietary images and embedded secrets can be exfiltrated.
Affected Products — All self‑hosted Gitea deployments running a version earlier than 1.26.2.
TPRM Impact —
- Private container images often contain source code, build artefacts, and embedded secrets; exposure creates a direct supply‑chain risk for downstream services.
- Organizations that embed Gitea in their CI/CD pipelines may inadvertently leak intellectual property to competitors or threat actors.
- Third‑party vendors that consume images from a compromised Gitea instance could inherit malicious or tampered artefacts.
Recommended Actions —
- Upgrade all Gitea instances to v1.26.2 or later without delay.
- Audit recent container‑image pull logs for anomalous activity and rotate any secrets discovered in exposed images.
- If an immediate upgrade is not feasible, restrict network access to the
/docker/endpoint (e.g., firewall, VPN, or zero‑trust policies). - Conduct a downstream dependency review to ensure no downstream services have already consumed compromised images.
- Incorporate this CVE into your vendor risk inventory and monitor for any related threat‑intel feeds.
Source: The Hacker News