CVE-2026-27771

HIGH NUCLEI

Gitea Composer package source links use insufficient permission checks

Title source: cna
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2026-27771. PoCs published by portbuster1337, HORKimhab. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2026-27771, an authentication bypass vulnerability in Gitea's container registry (versions < 1.26.2). The exploit allows unauthenticated attackers to pull private container images by leveraging a flaw in the ReqContainerAccess middleware that fails to check package owner visibility for ghost users (UserID: -1).

Description

Gitea versions up to and including 1.26.1 have insufficient permission checks for Composer package source links, which can expose private or internal package source information.

Exploits (2)

nomisec WORKING POC 16 stars
by portbuster1337 · poc
https://github.com/portbuster1337/CVE-2026-27771

This repository contains a functional exploit for CVE-2026-27771, an authentication bypass vulnerability in Gitea's container registry (versions < 1.26.2). The exploit allows unauthenticated attackers to pull private container images by leveraging a flaw in the ReqContainerAccess middleware that fails to check package owner visibility for ghost users (UserID: -1).

Classification
Working Poc 98%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Gitea < 1.26.2 with OCI container registry enabled
No auth needed
Prerequisites: Gitea instance version < 1.26.2 · OCI container registry enabled (v1.17.0+) · Python 3.8+ for running the exploit
mistral-large-3 · analyzed Jul 06, 2026 Full analysis →
nomisec STUB
by HORKimhab · poc
https://github.com/HORKimhab/CVE-2026-27771

This repository contains no functional exploit code, technical details, or vulnerability analysis for CVE-2026-27771. It only includes placeholder files (README, LICENSE, .gitignore, and a template file) with generic educational disclaimers and usage instructions.

Classification
Stub 99%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: unspecified
No auth needed
mistral-large-3 · analyzed Jul 06, 2026 Full analysis →

Nuclei Templates (1)

Gitea Container Registry - Unauthorized Private Image Access
HIGHVERIFIEDby DhiyaneshDk
Shodan: http.html:"Gitea"
FOFA: app="Gitea"

References (4)

Core 4
Core References
Vendor Advisory vendor-advisory
GitHub Security Advisory
https://github.com/go-gitea/gitea/security/advisories/GHSA-8qw8-rq86-9pc2
Patch patch
GitHub Pull Request #37610
https://github.com/go-gitea/gitea/pull/37610
Release Notes release-notes
Gitea v1.26.2 Release
https://github.com/go-gitea/gitea/releases/tag/v1.26.2
Release Notes release-notes
Gitea v1.26.2 Release Blog Post
https://blog.gitea.com/release-of-1.26.2/

Scores

CVSS v3 8.2
EPSS 0.4074
EPSS Percentile 98.5%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact partial

Details

CWE
CWE-862
Status published
Products (1)
Gitea/Gitea Open Source Git Server < 1.26.1
Published Jul 03, 2026
Tracked Since Jul 04, 2026