Gitea before v1.26.2, plus Forgejo and other forks, failed to enforce access control on registries marked private, leaving those container images pullable by anyone on the internet. Around 31,750 instances were exposed. Container images routinely carry application code, baked-in credentials, API keys, and certificates, so an exposed registry leaks secrets, not just source. Fix: upgrade to v1.26.2. Stopgap: set [service].REQUIRE_SIGNIN_VIEW=true to gate all content behind auth, though it also locks down any intentionally-public repos.
← Findings
Gitea container registries exposing private images without auth
CVE-2026-27771: Gitea (pre-1.26.2) and forks failed to enforce access control on private container registries. ~31,750 instances exposed application code, credentials, and certs to unauthenticated pull.