Unauthenticated access to private container images in Gitea

Repository contains a single Python proof-of-concept exploit and a README. The main file, CVE-2026-27771-exploit.py, targets a Gitea container registry authorization bypass affecting versions before 1.26.2. The exploit is not framework-based and is a standalone operational script. The script supports three modes: scan, pull, and register. In scan mode it performs pre-flight checks against the target, including version detection and OCI registry availability, then attempts to obtain an anonymous registry token or use a supplied token. It enumerates repositories via /v2/_catalog and tags via per-repository tag listing endpoints to determine exposure. In pull mode it goes further by retrieving manifests, resolving multi-architecture images, downloading blobs/layers, and extracting gzip-compressed tar layers into local directories. In register mode it attempts to create a new account through the web registration flow if self-registration is enabled and not protected by captcha. Code structure is straightforward: helper HTTP functions (fetch, fetch_auth, post_form), token helpers (JWT decoding, PAT detection, PAT-to-JWT exchange), registration logic, pre-flight/version parsing, repository/tag enumeration, and image pulling/extraction routines. The script disables TLS certificate validation, uses urllib and a cookie jar for session handling, and supports both anonymous and authenticated access paths. The exploit’s core capability is unauthorized remote access to private OCI container images hosted on vulnerable Gitea instances. It fingerprints the target through version and registry endpoints, then abuses the flawed authorization model to enumerate and exfiltrate private registry contents. The README documents affected versions, root cause, workaround, and reproduction steps, confirming the exploit’s purpose and expected behavior.