Insufficient Permission Checks in Gitea Affecting Package Sources
CVE-2026-27771

8.2HIGH

Key Information:

Vendor

Gitea

Vendor
CVE Published:
3 July 2026

Badges

đź“° News Worthy

What is CVE-2026-27771?

Gitea versions up to and including 1.26.1 are affected by a security vulnerability stemming from inadequate permission checks related to Composer package source links. This oversight can potentially lead to unauthorized access to sensitive internal package source information, risking the exposure of private data within the development environment. Users are strongly advised to update to Gitea version 1.26.2 or later to mitigate this risk and enhance the security of their applications.

Affected Version(s)

Gitea Open Source Git Server 0 <= 1.26.1

News Articles

Gitea Container Vulnerability Exposes Private Container Images to Attackers - IT Security News

A critical security vulnerability in Gitea’s built-in container registry exposes private container images to unauthenticated attackers, raising significant concerns for organizations that rely on self-hosted Git and CI/CD environments. The flaw, tracked as CVE-2026-27771, allows remote attackers to ...

Gitea Container Registry Vulnerability Could Lead to Private Image Exposure - IT Security News

A critical vulnerability, tracked as CVE-2026-27771, has been discovered in Gitea’s built-in container registry, allowing unauthenticated remote attackers to access private container images without credentials. This flaw poses a serious risk as it can expose sensitive application data, including sou...

Gitea Flaw Left 30,000 Deployments' Private Container Images Readable for 4 Years

Gitea vulnerability CVE-2026-27771 let anyone pull private container images from 30,000-plus self-hosted deployments with no credentials required. Noscope found the flaw affected healthcare,

References

CVSS V3.0

Score:
8.2
Severity:
HIGH
Confidentiality:
High
Integrity:
Low
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • đź“°

    First article discovered by The Hacker News

  • Vulnerability Reserved

Credit

DevNoScope
.