A critical unauthenticated access vulnerability (CVE-2026-27771, CVSS 9.1) has been publicly disclosed in Gitea’s built-in container registry. Any organization running Gitea’s container registry may have exposed private container images to unauthorized parties without requiring any credentials. Exposed images frequently contain application source code, API keys, database credentials, and proprietary software, creating direct pathways to broader infrastructure compromise.