# Customers getting "pull access denied" from `registry.gitlab.com/gitlab-org/` images (Severity 2) **Problem**: Customers received 'pull access denied' errors when GitLab runners attempted to pull images from the registry.gitlab.com/gitlab-org/ namespace, leading to a spike in 401 unauthorized responses in registry logs. **Impact**: 5 customers were unable to pull images from the registry.gitlab.com/gitlab-org/ namespace using GitLab runners, which blocked their deployments and feature flag changes. Security scanning jobs using CI_JOB_TOKEN were also affected. **Causes**: A recently merged policy refactor added a permission rule for CI job token authentication, which unintentionally restricted container image pulls in CI for both public and private projects. **Response strategy**: We provided a temporary workaround to avoid using the CI_JOB_TOKEN for container registry authentication. A rollback to the previous release has now been completed across all production clusters. Verification confirmed that pipelines can again pull container images when authenticating with a CI job token, and affected customers are now unblocked. We've also reverted the MR that introduced the permission policy refactor. _This ticket was created to track_ [_INC-9218_](https://app.incident.io/gitlab/incidents/9218)_, by_ [_incident.io_](https://app.incident.io) 🔥