Cve-2026-27771

vulnerability 2026-05-27
Gitea CVE-2026-27771: Container Registry Hands Out Private Images Without Authentication, 30,000 Instances Exposed
A four-year-old flaw in Gitea's OCI container registry lets anyone on the internet pull images marked private. 30,000+ deployments are exposed, Forgejo inherits the bug, and the only real fix is upgrading to 1.26.2 or forcing sign-in for all content.
gitea forgejo cve-2026-27771 container-registry oci self-hosted git-server supply-chain

Gitea CVE-2026-27771: Container Registry Hands Out Private Images Without Authentication, 30,000 Instances Exposed