Cybersecurity researchers have uncovered a significant security flaw in **Gitea**, an open-source, self-hosted platform for version control. This vulnerability allows remote, unauthenticated attackers to pull private container images from vulnerable **Gitea** deployments without needing an account, password, or any other form of authentication. ## Vulnerability Details The vulnerability, tracked as **CVE-2026-27771** (CVSS score: N/A), affects all **Gitea** versions prior to 1.26.2. The latest version addresses this critical issue. Users are strongly advised to upgrade to version 1.26.2 or later. According to **Noscope**, the security vulnerability has potentially impacted over 30,000 deployments across more than 30 countries, remaining undetected for approximately four years. The majority of exposed instances are located in China, the U.S., Germany, France, and the U.K. Affected organizations span various sectors, including healthcare, aerospace, retail, and internet service providers. "On affected versions, the private designation on a container repository did not deliver the protection operators reasonably expected it to," **Noscope** stated. "**Gitea's** container registry has allowed any person on the internet, with no account, no password, and no prior access, to pull what would be considered private container images at first glance from affected instances as if they were public." ## Impact and Mitigation The U.K.-based security firm also warns that any fork of **Gitea** should be considered potentially vulnerable until verified by its maintainers. **Forgejo**, for example, has been confirmed to be impacted.  **Gitea** users are urged to update to version 1.26.2 immediately for optimal protection. If patching isn't immediately feasible, a temporary workaround involves setting `[service].REQUIRE_SIGNIN_VIEW=true` in the **Gitea** configuration file. However, be aware that this workaround might not be suitable if some containers are intended for public access.