CVE-2026-27771 in Gitea’s built-in container registry allows unauthenticated remote attackers to pull private container images without credentials. Private container images frequently contain application source code, hardcoded API keys, database credentials, and proprietary software. The specific affected and fixed version ranges are unconfirmed from available source data; organizations should consult the official Gitea releases page and NVD entry before acting on version-specific guidance.