Skip to main content

OneDev CVE-2026-11438

| EUVDEUVD-2026-34973 MEDIUM
Improper Authorization (CWE-285)
2026-06-06 VulDB GHSA-w3rp-rgp7-p999
5.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Source Code Evidence Fetched
Jun 06, 2026 - 17:30 vuln.today
Analysis Generated
Jun 06, 2026 - 17:30 vuln.today
CVSS changed
Jun 06, 2026 - 17:22 NVD
6.3 (MEDIUM) 5.3 (MEDIUM)

DescriptionCVE.org

A vulnerability has been found in theonedev onedev up to 15.0.5. Affected by this vulnerability is an unknown functionality of the file /projects. The manipulation of the argument project.forkedFromId leads to improper authorization. The attack is possible to be carried out remotely. Upgrading to version 15.0.6 addresses this issue. Upgrading the affected component is recommended.

AnalysisAI

Improper authorization in theonedev OneDev up to version 15.0.5 allows authenticated remote attackers to bypass access controls by manipulating the project.forkedFromId argument in requests to the /projects endpoint. The flaw, classified under CWE-285, enables low-privileged users to perform actions or access project data beyond their authorization scope. No public exploit code has been identified at time of analysis, and a vendor-released patch (v15.0.6) is available.

Technical ContextAI

OneDev is a self-hosted, all-in-one DevOps platform built on Git, providing issue tracking, CI/CD, and project management. The vulnerability resides in the /projects route where the server-side handler fails to adequately enforce authorization when processing the project.forkedFromId parameter - a field used to associate a project as a fork of another. CWE-285 (Improper Authorization) indicates that the application either skips or improperly validates the caller's permission to reference or interact with the target parent project ID, allowing a caller to supply arbitrary project identifiers and potentially traverse authorization boundaries. The affected CPE is cpe:2.3:a:theonedev:onedev:*:*:*:*:*:*:*:*, covering all OneDev application releases through 15.0.5.

RemediationAI

The primary fix is to upgrade OneDev to version 15.0.6, which addresses this improper authorization issue. The patched release is confirmed available at https://github.com/theonedev/onedev/releases/tag/v15.0.6, with installation guidance at https://docs.onedev.io/category/installation-guide. If an immediate upgrade is not feasible, a compensating control would be to restrict access to the /projects endpoint at the network or reverse-proxy layer for untrusted or low-privileged users, though this may degrade project creation and fork functionality. Additionally, auditing existing project fork relationships (forkedFromId values) for anomalies may help detect any prior exploitation. Note that network-layer restrictions do not address the root authorization flaw and should be treated as a temporary measure only.

More in Onedev

View all
CVE-2022-39206 CRITICAL POC
9.9 Sep 13

Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. Rated critical severity (CVSS 9.9), this vulnera

CVE-2022-39205 CRITICAL POC
9.8 Sep 13

Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. Rated critical severity (CVSS 9.8), this vulnera

CVE-2022-38301 HIGH POC
8.8 Sep 14

Onedev v7.4.14 contains a path traversal vulnerability which allows attackers to access restricted files and directories

CVE-2024-45309 HIGH POC
8.7 Oct 21

OneDev is a Git server with CI/CD, kanban, and packages. Rated high severity (CVSS 8.7), this vulnerability is remotely

CVE-2022-39208 HIGH POC
7.5 Sep 13

Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. Rated high severity (CVSS 7.5), this vulnerabili

CVE-2021-21246 HIGH POC
7.5 Jan 15

OneDev is an all-in-one devops platform. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no

CVE-2021-21245 CRITICAL
9.8 Jan 15

OneDev is an all-in-one devops platform. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable,

CVE-2021-21242 CRITICAL
9.8 Jan 15

OneDev is an all-in-one devops platform. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable,

CVE-2021-21244 CRITICAL
9.8 Jan 15

OneDev is an all-in-one devops platform. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable,

CVE-2021-21243 CRITICAL
9.8 Jan 15

OneDev is an all-in-one devops platform. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable,

CVE-2022-39207 MEDIUM POC
5.4 Sep 13

Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. Rated medium severity (CVSS 5.4), this vulnerabi

CVE-2023-24828 HIGH
8.8 Feb 08

Onedev is a self-hosted Git Server with CI/CD and Kanban. Rated high severity (CVSS 8.8), this vulnerability is remotely

Share

CVE-2026-11438 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy