NoScope AI Pentesting Agent Discovers 4-Year-Old Gitea Vulnerability Exposing 30,000+ Instances

Summary

NoScope, an autonomous AI pentesting agent, discovered CVE-2026-27771, a critical vulnerability in Gitea's container registry that allowed unauthenticated access to private container images. The flaw went undetected for nearly four years and affected an estimated 30,000+ internet-facing Gitea deployments. Container images often embed sensitive production data—credentials, API keys, TLS certificates, and internal infrastructure configuration—that were exposed without any authentication barrier. NoScope's systematic methodology for probing access models and application functionality across all exposed surfaces identified the gap in Gitea's registry access controls. The vulnerability was responsibly disclosed, resulting in Gitea v1.26.2 and a recommendation that affected users update immediately or implement temporary workarounds.

• The discovery highlights the importance of autonomous security tooling in finding subtle but critical flaws in default configurations

Editorial Opinion

CVE-2026-27771 is a powerful case study in how autonomous AI agents can surface critical vulnerabilities that evade human-led security research. NoScope's ability to systematically exercise every angle of an application's access model—methodically probing the full attack surface—uncovered a flaw hiding in plain sight for four years. This discovery validates the emerging security paradigm: AI-driven autonomous agents are becoming force multipliers for vulnerability detection, finding what humans miss and doing so at scale.