Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
A vulnerability has been found in theonedev onedev up to 15.0.5. Affected by this vulnerability is an unknown functionality of the file /projects. The manipulation of the argument project.forkedFromId leads to improper authorization. The attack is possible to be carried out remotely. Upgrading to version 15.0.6 addresses this issue. Upgrading the affected component is recommended.
AnalysisAI
Improper authorization in theonedev OneDev up to version 15.0.5 allows authenticated remote attackers to bypass access controls by manipulating the project.forkedFromId argument in requests to the /projects endpoint. The flaw, classified under CWE-285, enables low-privileged users to perform actions or access project data beyond their authorization scope. No public exploit code has been identified at time of analysis, and a vendor-released patch (v15.0.6) is available.
Technical ContextAI
OneDev is a self-hosted, all-in-one DevOps platform built on Git, providing issue tracking, CI/CD, and project management. The vulnerability resides in the /projects route where the server-side handler fails to adequately enforce authorization when processing the project.forkedFromId parameter - a field used to associate a project as a fork of another. CWE-285 (Improper Authorization) indicates that the application either skips or improperly validates the caller's permission to reference or interact with the target parent project ID, allowing a caller to supply arbitrary project identifiers and potentially traverse authorization boundaries. The affected CPE is cpe:2.3:a:theonedev:onedev:*:*:*:*:*:*:*:*, covering all OneDev application releases through 15.0.5.
RemediationAI
The primary fix is to upgrade OneDev to version 15.0.6, which addresses this improper authorization issue. The patched release is confirmed available at https://github.com/theonedev/onedev/releases/tag/v15.0.6, with installation guidance at https://docs.onedev.io/category/installation-guide. If an immediate upgrade is not feasible, a compensating control would be to restrict access to the /projects endpoint at the network or reverse-proxy layer for untrusted or low-privileged users, though this may degrade project creation and fork functionality. Additionally, auditing existing project fork relationships (forkedFromId values) for anomalies may help detect any prior exploitation. Note that network-layer restrictions do not address the root authorization flaw and should be treated as a temporary measure only.
Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. Rated critical severity (CVSS 9.9), this vulnera
Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. Rated critical severity (CVSS 9.8), this vulnera
Onedev v7.4.14 contains a path traversal vulnerability which allows attackers to access restricted files and directories
OneDev is a Git server with CI/CD, kanban, and packages. Rated high severity (CVSS 8.7), this vulnerability is remotely
Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. Rated high severity (CVSS 7.5), this vulnerabili
OneDev is an all-in-one devops platform. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no
OneDev is an all-in-one devops platform. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable,
OneDev is an all-in-one devops platform. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable,
OneDev is an all-in-one devops platform. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable,
OneDev is an all-in-one devops platform. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable,
Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. Rated medium severity (CVSS 5.4), this vulnerabi
Onedev is a self-hosted Git Server with CI/CD and Kanban. Rated high severity (CVSS 8.8), this vulnerability is remotely
Same weakness CWE-285 – Improper Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34973
GHSA-w3rp-rgp7-p999