A vulnerability in the open-source Git service Gitea allows unauthenticated attackers to access private container images from over 30,000 affected instances. This flaw, tracked as CVE-2026-27771, is related to access control issues in Gitea's container registry, which did not enforce authentication for private images. The problem persisted for about four years before being fixed in version 1.26.2.
An estimated 93% of the 34,000 internet-facing Gitea instances are potentially vulnerable, impacting production systems running on major cloud platforms. Organizations are urged to update their deployments to prevent unauthorized access to sensitive information contained in these images.