Sign in Subscribe
Self-Hosting

Self-Hosted Weekly: Week 22, 2026. Gitea CVE Hits 30K Servers, Percona Turns 20, Sway Adds HDR

Michael Soto

4 min read
Share
Self-Hosted Weekly: Week 22, 2026. Gitea CVE Hits 30K Servers, Percona Turns 20, Sway Adds HDR

Another week, another pile of news for anyone running their own infrastructure. This one was loaded. A four-year-old Gitea flaw left tens of thousands of container registries reading like an open book. Percona threw itself a 20th birthday party and announced a new MySQL foundation in the same breath. Sway shipped HDR. And Meta woke up its caching engine after a two-year nap.

Here are the stories you should know about this week.

1. Gitea CVE-2026-27771: 30,000 Registries Were Public the Whole Time

A critical access control bug in Gitea's built-in container registry let any unauthenticated attacker pull "private" container images without credentials. No login, no token, just a standard Docker pull request and you were in. The flaw sat in the code for almost four years and affected more than 30,000 self-hosted deployments across healthcare, aerospace, and ISP infrastructure.

The patch landed in Gitea 1.26.2 on May 20. Forgejo, which shares the same registry implementation, is also affected (though the project pushed back on the framing). If you cannot patch right now, set [service].REQUIRE_SIGNIN_VIEW=true and breathe a little easier.

Hot take: Container images leak secrets. Yours probably do too. Treat the registry exposure like a credentials breach, rotate anything that was baked into a private image, and audit your CI logs for unusual pull patterns.

2. GitLab 19.0 Shipped (and Got a Patch Six Days Later)

GitLab 19.0 went GA on May 21 and the 19.0.1 patch arrived May 27. Headline features: Secrets Manager in public beta, four new open source models for self-hosted GitLab Duo, agentic merge request workflows, and a redesigned vulnerability dashboard with risk scores, CWE insights, and PDF export.

The new Secrets Manager is the one to watch if you are tired of juggling Vault sidecars next to your runners. Native integration means one less moving part.

Hot take: GitLab is doubling down on the "single platform" pitch right when teams are starting to question monorepo tooling. Self-hosters get the best deal: full feature set without the per-seat enterprise tax.

3. Percona Turns 20, Launches OurSQL Foundation, Sponsors pgBackRest

Percona had the busiest week in open source databases. On May 28 the company celebrated its 20th birthday at the Computer History Museum in Mountain View (cake shaped like a goat included) and used the moment to announce the OurSQL Foundation, a new MySQL nonprofit. Founder Vadim Tkachenko gave the keynote.

In the same week, Percona joined Supabase, pgEdge, and Tiger Data as a sponsor of pgBackRest, the most widely used PostgreSQL backup tool. The sole maintainer had warned he could no longer fund the work after Crunchy Data's acquisition. The coalition stepped in to keep development active.

Hot take: Two stories, same theme: critical OSS infrastructure cannot rely on one company or one maintainer. Distributed sponsorship is becoming the survival pattern, and Percona is now bankrolling two of the most important MySQL and Postgres ecosystems at once.

4. Sway 1.12 Lands HDR10 Support on Wayland

Sway 1.12 dropped on May 25 with HDR10 output via the Vulkan renderer, individual window capture, support for color-management-v1 and ext-workspace-v1 protocols, official display manager startup, and 138 changes from 50 contributors. It depends on wlroots 0.20.0.

If you self-host a media server and want a proper desktop client for HDR playback, the Linux story just got a lot better.

Hot take: Wayland keeps quietly closing the last gaps with X11 and macOS. HDR was the loudest holdout for creative pros. Strike one more reason to keep using Xorg.

5. SFC's Baltobu Project Hits Its $250K Goal

The Software Freedom Conservancy's reverse-engineering project against Bambu Lab passed its $250,007 fundraising target this week. "Baltobu" (Bringing Affero Licensed Things Onto Bambu Users) lives on SFC's Forgejo instance and has three repos: viscose (a Bambu Studio fork), orca-slicer-for-bambu (a compatible OrcaSlicer soft fork), and a reverse-networking effort to replace the proprietary libbambu_networking library. Paweł Jarczak, the developer Bambu tried to silence in April, is on as a collaborator.

Hot take: This is the playbook for AGPL enforcement in 2026. Don't sue, ship a free replacement. The same approach worked for KDE and Plasma Mobile; it can work for 3D printers.

6. Meta's CacheLib Wakes Up After Two Years

Meta tagged CacheLib 2026.05.25 on May 25, the first release after a two-year hiatus. There's no public changelog yet, but the project's framing is clear: DRAM prices are wild thanks to AI demand, and CacheLib was originally built in 2021 to push hot data onto NVMe and free up RAM. The economics of that tradeoff just got dramatically better.

Hot take: If your self-hosted stack relies on big in-memory caches (Redis, Memcached, Valkey) and your DRAM bill is climbing, CacheLib is worth a look. Pluggable in-process caching with NVMe spillover is a category most self-hosters have never tried.

7. Immich v3.0.0 on the Runway

The Immich team confirmed v3.0.0 lands in May 2026 with three major additions: mobile editing (merged), HTTP Live Streaming for adaptive playback, and the first version of Workflows. Shared library improvements (managing people across user accounts) are also in flight.

Hot take: Mobile editing was the last "Google Photos can do this, Immich can't" gap. With HLS coming, the only real argument left for cloud photo services is the storage discount, and Hetzner storage boxes have an answer for that too.

What We're Watching Next Week

  • Gitea exploitation in the wild. Four years of exposure means somebody noticed. Watch CISA's Known Exploited Vulnerabilities catalog.
  • OurSQL Foundation details. Who joins, what gets transferred, how the MariaDB Foundation reacts.
  • Immich v3.0.0 GA. Mobile editing in the wild will trigger another wave of Google Photos migrations.
  • Forgejo's official response to CVE-2026-27771. Their security posture is being tested in public.

Bottom Line

Week 22 was a stress test for the "self-hosted means safer" narrative. Gitea proves that running your own registry doesn't help if the code itself is broken. Percona shows what mature stewardship looks like (20 years, still investing in shared infrastructure). And Sway and Immich keep chipping away at the gaps that pushed people to SaaS in the first place.

Want to skip the patching drama? Deploy Gitea, GitLab, or any of the 400+ open source services on Elestio and let our managed updates and backups handle the boring parts.

Thanks for reading. See you next Friday for Week 23.

Sign up for more like this.

Enter your email
Subscribe