
PEACH
Un cadre d’isolation des locataires
CVE-2026-27771 is a missing authorization vulnerability in Gitea's Composer package registry that allows unauthenticated remote attackers to access private or internal package source links and enumerate/pull private container images without credentials. It affects all Gitea Open Source Git Server versions up to and including 1.26.1, with the fix introduced in version 1.26.2. The vulnerability was disclosed on July 3, 2026, with the underlying fix merged on May 11, 2026 (PR #37610). It carries a CVSS v3.0 base score of 8.2 (High) (GitHub Advisory, Gitea Release).
The root cause is a missing authorization check (CWE-862) in the Composer package metadata API handler (routers/api/packages/composer/api.go). Specifically, the permission guard used permission.HasAnyUnitAccess() instead of permission.HasAnyUnitAccessOrPublicAccess(), which failed to account for anonymous or public access modes — meaning unauthenticated requests could bypass the check and receive Composer package source URLs pointing to private or internal repositories. The fix (PR #37610) corrects the permission check and adds visibility labels for private/internal packages. No authentication or special privileges are required to exploit this vulnerability over the network (GitHub Advisory, Gitea PR #37610).
An unauthenticated attacker can access and enumerate private or internal Composer package source links, and — based on the available proof-of-concept — can also discover and pull private container images from vulnerable Gitea instances without any credentials. This results in a high confidentiality impact (exposure of proprietary source code references, internal package metadata, and container image contents) and a low integrity impact. Availability is not affected. Approximately 30,000 Gitea deployments were reportedly exposed, with the vulnerability potentially present for multiple years prior to disclosure (GitHub Advisory, SecurityWeek).
/api/packages/{owner}/composer/packages.json) to enumerate available packages.source fields containing URLs pointing to private or internal repositories, even for unauthenticated requests.CVE-2026-27771-exploit.py), run scan <url> to discover private repositories and pull <url> to download private container images without credentials./api/packages/<owner>/composer/packages.json or similar Composer API endpoints from external or unexpected IP addresses; unusual outbound connections from the Gitea server to unknown hosts after enumeration.Upgrade Gitea to version 1.26.2 or later, which includes the fix for the Composer package source permission check (PR #37610, merged May 11, 2026). No configuration-based workaround is available; upgrading is the only remediation. As interim measures, administrators should implement network-level access controls to restrict exposure of Gitea package registry endpoints, and audit which Composer package sources are currently accessible on their instances (Gitea Release, GitHub Advisory).
The vulnerability received significant media coverage, with The Hacker News, SecurityWeek, GBHackers, and CyberSecurityNews all reporting on the issue shortly after disclosure. SecurityWeek noted that approximately 30,000 Gitea deployments were exposed, and TechTimes reported the flaw may have existed for up to four years. The self-hosted community on Reddit (r/selfhosted) urged users to update Gitea and Forgejo immediately. Horizon3.ai published attack research on the vulnerability, and Emerging Threats added detection rules. The Forgejo project (a Gitea fork) also addressed the issue and referenced it in their May 2026 monthly report (The Hacker News, SecurityWeek, Forgejo Report).
Source: Ce rapport a été généré à l’aide de l’IA
Évaluation gratuite des vulnérabilités
Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.
Obtenez une démo personnalisée
"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."