Gitea CVE-2026-27771: Unauthenticated Attackers Can Pull Private Container Images

CVE-2026-27771 in Gitea allows unauthenticated remote attackers to pull private container images from any Gitea deployment without credentials. All versions prior to 1.26.2 are affected; no CVSS score has been published yet.

Organizations using Gitea as a self-hosted container registry should upgrade to 1.26.2 immediately. Until patched, restrict public network access to Gitea’s container registry endpoints. Review container registry access logs to determine whether unauthorized clients have already pulled any private images.