CVE-2026-27771
Gitea Analyse et atténuation des vulnérabilités

Aperçu

CVE-2026-27771 is a missing authorization vulnerability in Gitea's Composer package registry that allows unauthenticated remote attackers to access private or internal package source links and enumerate/pull private container images without credentials. It affects all Gitea Open Source Git Server versions up to and including 1.26.1, with the fix introduced in version 1.26.2. The vulnerability was disclosed on July 3, 2026, with the underlying fix merged on May 11, 2026 (PR #37610). It carries a CVSS v3.0 base score of 8.2 (High) (GitHub Advisory, Gitea Release).

Détails techniques

The root cause is a missing authorization check (CWE-862) in the Composer package metadata API handler (routers/api/packages/composer/api.go). Specifically, the permission guard used permission.HasAnyUnitAccess() instead of permission.HasAnyUnitAccessOrPublicAccess(), which failed to account for anonymous or public access modes — meaning unauthenticated requests could bypass the check and receive Composer package source URLs pointing to private or internal repositories. The fix (PR #37610) corrects the permission check and adds visibility labels for private/internal packages. No authentication or special privileges are required to exploit this vulnerability over the network (GitHub Advisory, Gitea PR #37610).

Impact

An unauthenticated attacker can access and enumerate private or internal Composer package source links, and — based on the available proof-of-concept — can also discover and pull private container images from vulnerable Gitea instances without any credentials. This results in a high confidentiality impact (exposure of proprietary source code references, internal package metadata, and container image contents) and a low integrity impact. Availability is not affected. Approximately 30,000 Gitea deployments were reportedly exposed, with the vulnerability potentially present for multiple years prior to disclosure (GitHub Advisory, SecurityWeek).

Étapes d’exploitation

  1. Reconnaissance: Use Shodan, Censys, or similar tools to identify internet-facing Gitea instances running version 1.26.1 or earlier by querying for Gitea-specific HTTP headers or login pages.
  2. Identify Composer package endpoints: Send unauthenticated HTTP GET requests to the Gitea Composer package metadata API endpoint (e.g., /api/packages/{owner}/composer/packages.json) to enumerate available packages.
  3. Extract private source links: Due to the missing authorization check, the API response includes source fields containing URLs pointing to private or internal repositories, even for unauthenticated requests.
  4. Enumerate private container images: Using the public exploit script (CVE-2026-27771-exploit.py), run scan <url> to discover private repositories and pull <url> to download private container images without credentials.
  5. Exfiltrate data: Retrieve proprietary source code references, internal package metadata, or container image contents for further analysis or lateral movement (PoC Exploit, GitHub Advisory).

Indicateurs de compromis

  • Network: Unauthenticated HTTP GET requests to /api/packages/<owner>/composer/packages.json or similar Composer API endpoints from external or unexpected IP addresses; unusual outbound connections from the Gitea server to unknown hosts after enumeration.
  • Logs: Gitea access logs showing repeated unauthenticated requests to Composer package metadata endpoints; requests from IPs with no prior authentication history accessing package source URLs for private repositories.
  • File System: Unexpected downloads or clones of private container image layers or repository archives initiated without valid credentials.
  • Process: Unusual child processes or network activity spawned by the Gitea service process following API enumeration requests (PoC Exploit, Orca Security).

Atténuation et solutions de contournement

Upgrade Gitea to version 1.26.2 or later, which includes the fix for the Composer package source permission check (PR #37610, merged May 11, 2026). No configuration-based workaround is available; upgrading is the only remediation. As interim measures, administrators should implement network-level access controls to restrict exposure of Gitea package registry endpoints, and audit which Composer package sources are currently accessible on their instances (Gitea Release, GitHub Advisory).

Réactions de la communauté

The vulnerability received significant media coverage, with The Hacker News, SecurityWeek, GBHackers, and CyberSecurityNews all reporting on the issue shortly after disclosure. SecurityWeek noted that approximately 30,000 Gitea deployments were exposed, and TechTimes reported the flaw may have existed for up to four years. The self-hosted community on Reddit (r/selfhosted) urged users to update Gitea and Forgejo immediately. Horizon3.ai published attack research on the vulnerability, and Emerging Threats added detection rules. The Forgejo project (a Gitea fork) also addressed the issue and referenced it in their May 2026 monthly report (The Hacker News, SecurityWeek, Forgejo Report).

Ressources additionnelles


SourceCe rapport a été généré à l’aide de l’IA

Apparenté Gitea Vulnérabilités:

Identifiant CVE

Sévérité

Score

Technologies

Nom du composant

Exploit CISA KEV

A corrigé

Date de publication

CVE-2026-28737HIGH8.7
  • Gitea logoGitea
  • gitea
NonOuiJul 03, 2026
CVE-2026-27771HIGH8.2
  • Gitea logoGitea
  • cpe:2.3:a:gitea:gitea
NonOuiJul 03, 2026
CVE-2026-28744HIGH8.1
  • Gitea logoGitea
  • gitea
NonOuiJul 03, 2026
CVE-2026-28699HIGH8.1
  • Gitea logoGitea
  • code.gitea.io/gitea
NonOuiJul 03, 2026
CVE-2026-27783MEDIUM4.3
  • Gitea logoGitea
  • cpe:2.3:a:gitea:gitea
NonOuiJul 03, 2026

Évaluation gratuite des vulnérabilités

Évaluez votre posture de sécurité dans le cloud

Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.

Demander une évaluation

Obtenez une démo personnalisée

Prêt(e) à voir Wiz en action ?

"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
David EstlickRSSI
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
Adam FletcherChef du service de sécurité
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."
Greg PoniatowskiResponsable de la gestion des menaces et des vulnérabilités