Skip to main content

OneDev CVE-2026-11439

| EUVDEUVD-2026-34974 MEDIUM
Improper Authorization (CWE-285)
2026-06-06 VulDB GHSA-q98j-2qw6-gh6w
5.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
CVSS changed
Jun 06, 2026 - 18:22 NVD
6.3 (MEDIUM) 5.3 (MEDIUM)
Source Code Evidence Fetched
Jun 06, 2026 - 18:16 vuln.today
Analysis Generated
Jun 06, 2026 - 18:16 vuln.today

DescriptionCVE.org

A vulnerability was found in theonedev onedev up to 15.0.5. Affected by this issue is some unknown functionality of the file /projects/ of the component Parent Project Handler. The manipulation of the argument project.parentId results in improper authorization. The attack may be performed from remote. Upgrading to version 15.0.6 can resolve this issue. It is recommended to upgrade the affected component.

AnalysisAI

Improper authorization in theonedev OneDev versions up to 15.0.5 allows authenticated low-privileged users to manipulate the project.parentId parameter in the /projects/ Parent Project Handler endpoint, bypassing access controls on project hierarchy operations. The CVSS vector (PR:L/AV:N/AC:L) confirms this is a network-exploitable flaw requiring only a low-privilege account with no user interaction. Although the base impact scores are uniformly low (C:L/I:L/A:L), in a self-hosted DevOps platform context - where projects may contain source code, CI/CD pipelines, and secrets - the real-world risk to sensitive deployments exceeds what the 6.3 CVSS score alone conveys. No public exploit or CISA KEV listing exists at time of analysis; an official patch is available as v15.0.6.

Technical ContextAI

OneDev is a self-hosted, open-source Git server and DevOps platform supporting project management, CI/CD pipelines, and code review. The vulnerability resides in the Parent Project Handler component, which governs hierarchical relationships between projects via the /projects/ API endpoint. CWE-285 (Improper Authorization) identifies the root cause as a failure to correctly enforce permission checks on the project.parentId argument - meaning the application authenticates the user but does not adequately verify whether that user holds sufficient rights to assign or manipulate a given project's parent relationship. This is structurally distinct from an authentication bypass in the traditional sense; the user is legitimately logged in, but the server-side authorization gate for parent project reassignment is insufficiently enforced. The CPE string cpe:2.3:a:theonedev:onedev:*:*:*:*:*:*:*:* confirms all variants of the OneDev server application are in scope.

RemediationAI

The primary and recommended remediation is to upgrade OneDev to version 15.0.6 or later, which contains the vendor-released patch. The release is available at https://github.com/theonedev/onedev/releases/tag/v15.0.6, and the CVSS RL:O temporal metric confirms this is an official vendor fix. If an immediate upgrade is not operationally feasible, a compensating control would be to restrict access to the /projects/ API endpoint at the reverse-proxy or network perimeter layer to a known, trusted set of IP ranges or privileged user segments only - noting that this will disrupt legitimate project management workflows for users outside those ranges. Additionally, administrators should audit recent project parent-assignment changes in the OneDev activity log to detect any unauthorized hierarchy modifications that may have occurred prior to patching. No workarounds short of network-layer access restriction are evident from the available data.

More in Onedev

View all
CVE-2022-39206 CRITICAL POC
9.9 Sep 13

Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. Rated critical severity (CVSS 9.9), this vulnera

CVE-2022-39205 CRITICAL POC
9.8 Sep 13

Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. Rated critical severity (CVSS 9.8), this vulnera

CVE-2022-38301 HIGH POC
8.8 Sep 14

Onedev v7.4.14 contains a path traversal vulnerability which allows attackers to access restricted files and directories

CVE-2024-45309 HIGH POC
8.7 Oct 21

OneDev is a Git server with CI/CD, kanban, and packages. Rated high severity (CVSS 8.7), this vulnerability is remotely

CVE-2022-39208 HIGH POC
7.5 Sep 13

Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. Rated high severity (CVSS 7.5), this vulnerabili

CVE-2021-21246 HIGH POC
7.5 Jan 15

OneDev is an all-in-one devops platform. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no

CVE-2021-21245 CRITICAL
9.8 Jan 15

OneDev is an all-in-one devops platform. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable,

CVE-2021-21242 CRITICAL
9.8 Jan 15

OneDev is an all-in-one devops platform. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable,

CVE-2021-21244 CRITICAL
9.8 Jan 15

OneDev is an all-in-one devops platform. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable,

CVE-2021-21243 CRITICAL
9.8 Jan 15

OneDev is an all-in-one devops platform. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable,

CVE-2022-39207 MEDIUM POC
5.4 Sep 13

Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. Rated medium severity (CVSS 5.4), this vulnerabi

CVE-2023-24828 HIGH
8.8 Feb 08

Onedev is a self-hosted Git Server with CI/CD and Kanban. Rated high severity (CVSS 8.8), this vulnerability is remotely

Share

CVE-2026-11439 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy