Vulnerabilities Gitea Vulnerability Exposed 30,000 Deployments to Attacks The security flaw allowed attackers to pull private container images, exposing source code, credentials, and infrastructure. By Ionut Arghire | May 28, 2026 (7:24 AM ET) Flipboard Reddit Whatsapp Whatsapp Email A vulnerability in open source, self-hosted Git service Gitea could have allowed unauthenticated attackers to pull private container images from over 30,000 deployments, AI pentesting firm NoScope warns. Tracked as CVE-2026-27771 , the security flaw is described as an access control issue impacting Gitea’s built-in container registry. Forgejo, which shares the implementation, is also affected. Other Gitea-derived forks may be impacted as well. Due to the flaw, authentication requirements were not enforced on images marked as private, and the container registry still served them in response to standard, anonymous Docker/OCI pull requests to the registry API. The security defect lurked in Gitea’s code for approximately four years before being patched in version 1.26.2, which was released last week. “Gitea’s container registry has allowed any person on the internet, with no account, no password, and no prior access, to pull what would be considered private container images at first glance from affected instances as if they were public,” NoScope says. Because container images may contain sensitive information such as source code, secrets, and production infrastructure details, the impact from the bug is considerable, the security firm warns. Advertisement. Scroll to continue reading. According to NoScope, a Shodan search uncovered over 34,000 internet-facing Gitea instances. Of these, approximately 93%, or 31,750, were likely vulnerable. Analysis of the potentially affected deployments revealed that roughly 4,000 were production systems running on major cloud or VPS platforms. Approximately 7,000 instances, NoScope says, were running on Gitea’s default port. “The data is unambiguous. These aren’t hobby machines. These are organisations that made a deliberate decision to self-host their development infrastructure, running it on production-grade compute, for real workloads,” the AI pentesting firm notes. Organizations are advised to update to Gitea version 1.26.2 immediately, or to change the configuration settings to require authentication for all content access. “Note that this setting is not suitable for instances that intentionally expose some containers publicly; operators in that situation should weigh the trade-off carefully,” NoScope says. Related: Vulnerability in Popular Conference Software Granted Attackers a 100% Talk Acceptance Rate Related: Open Source DockSec Uses AI to Cut Through Vulnerability Noise in Docker Images Related: Ghost CMS Vulnerability Exploited to Hack Over 700 Websites Related: ‘Underminr’ Vulnerability Lets Attackers Hide Malicious Connections Behind Trusted Domains Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights. More from Ionut Arghire GlassWorm Botnet Disrupted FBI: Hackers Sending Operatives in Person to Insert USB Drives and Steal Data CISA Urges Immediate Patching of Exploited LiteSpeed cPanel Plugin Zero-Day Iranian APT Targets Aviation, Software Companies With Updated Tools 185,000 Likely Impacted by 7-Eleven Data Breach Hackers Exploited KnowledgeDeliver Zero-Day for Web Shell Deployment Admins of Bulletproof Hosting Service Used by Russian Hackers Arrested in Netherlands 266,000 Affected by Data Breach at Radiology Associates of Richmond Latest News Raising the Cybersecurity Stakes: Ante up for the Agentic Era Google Unveils AI Threat Defense Platform to Fight AI-Powered Cyberattacks UK Cyberspying Chief Calls AI ‘an Unstoppable Force’ and Warns About Russia Vulnerability in Popular Conference Software Granted Attackers a 100% Talk Acceptance Rate SecurityWeek to Host AI Risk Summit August 11-12 at the Ritz-Carlton, Half Moon Bay RevEng.AI Raises $15 Million to Hunt for Flaws and Backdoors in Software Binaries Romanian Hacker Sentenced to Prison in US for Selling Access to State Network Lastwall Raises $11.5 Million for Quantum-Resilient Identity Platform Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Virtual Event: Threat Detection and Incident Response Summit On-Demand Delve into big-picture strategies to reduce attack surfaces, improve patch management, conduct post-incident forensics, and tools and tricks needed in a modern organization. Register Webinar: Third-Party Risk in Practice June 4, 2026 Organizations are investing heavily in third-party risk management, but breaches, delays, and blind spots continue to persist. Join this live webinar as we examine the gap between how organizations think their third-party risk programs are performing and what’s actually happening in practice. Register People on the Move Joe Chen has become Chief Technology Officer at Trellix. Usercentrics has named Pawan Hegde as COO and Elena Ignatova as CPTO. SecureAuth has named Mark van Oppen as Chief Revenue Officer. More People On The Move Expert Insights Raising the Cybersecurity Stakes: Ante up for the Agentic Era CISOs are now facing machine-speed attacks and asking, “How do I agent?” The industry must provide remediation at scale. (Nadir Izrael) Caught Off Guard: Securing AI After It Hits Production As enterprises rush AI projects into production, security teams are increasingly being forced into reactive mode. (Joshua Goldfarb) Cyber Resilience is the New Business Continuity Plan The organizations best prepared to face disruption are those that align security, continuity and risk management around what the business cannot afford to lose. (Steve Durbin) Enhancing Data Center Security Without Sacrificing Performance For AI data centers, where the stakes are the highest and performance constraints are the tightest, security and performance are no longer a zero-sum game. (Nadir Izrael) Is the SOC Obsolete, and We Just Haven’t Admitted It Yet? Many AI-first enterprises have already embraced sovereign architectures for general AI initiatives; cybersecurity—and the SOC—should be next. (Danelle Au) Flipboard Reddit Whatsapp Whatsapp Email