Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
A vulnerability was determined in theonedev onedev up to 15.0.5. This affects an unknown part of the file /repositories/{projectId}/default-branch of the component REST API. This manipulation of the argument project.defaultBranch causes improper authorization. It is possible to initiate the attack remotely. Upgrading to version 15.0.6 is able to mitigate this issue. Upgrading the affected component is advised.
AnalysisAI
{projectId}/default-branch` endpoint. All OneDev versions through 15.0.5 are affected; the CVSS vector (PR:L) confirms a low-privilege authenticated user is sufficient to trigger the flaw remotely with no user interaction required. No public exploit code has been identified at time of analysis, and the issue is not listed in the CISA KEV catalog; vendor-released patch v15.0.6 is available.
Technical ContextAI
OneDev is a self-hosted Git server and DevOps platform (CPE: cpe:2.3:a:theonedev:onedev:*:*:*:*:*:*:*:*). The vulnerability resides in its REST API component, specifically the endpoint /repositories/{projectId}/default-branch, which handles setting a repository's default branch via the project.defaultBranch argument. The root cause is CWE-285 (Improper Authorization): the API endpoint fails to adequately enforce authorization controls before accepting branch modification requests, allowing a caller with only low privileges to affect project configuration beyond their intended permission scope. This class of flaw typically arises when authorization checks are missing or bypassed at the API layer, even when the UI enforces the same operation correctly.
RemediationAI
Upgrade OneDev to version 15.0.6 or later, which contains the vendor-released fix for this improper authorization issue; the patched release is available at https://github.com/theonedev/onedev/releases/tag/v15.0.6. If an immediate upgrade is not possible, access to the REST API endpoint /repositories/{projectId}/default-branch (HTTP methods that modify the default branch) should be restricted at the network or reverse-proxy layer to only those IP ranges or authenticated roles that legitimately require it - this reduces exposure but does not eliminate the underlying flaw. Restricting general user account creation or tightening role permissions to limit the pool of low-privilege accounts that can reach the API is an additional compensating control with the trade-off of potentially impacting normal workflow automation. Monitoring API access logs for unexpected calls to the /repositories/*/default-branch path can provide early detection of exploitation attempts.
Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. Rated critical severity (CVSS 9.9), this vulnera
Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. Rated critical severity (CVSS 9.8), this vulnera
Onedev v7.4.14 contains a path traversal vulnerability which allows attackers to access restricted files and directories
OneDev is a Git server with CI/CD, kanban, and packages. Rated high severity (CVSS 8.7), this vulnerability is remotely
Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. Rated high severity (CVSS 7.5), this vulnerabili
OneDev is an all-in-one devops platform. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no
OneDev is an all-in-one devops platform. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable,
OneDev is an all-in-one devops platform. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable,
OneDev is an all-in-one devops platform. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable,
OneDev is an all-in-one devops platform. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable,
Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. Rated medium severity (CVSS 5.4), this vulnerabi
Onedev is a self-hosted Git Server with CI/CD and Kanban. Rated high severity (CVSS 8.8), this vulnerability is remotely
Same weakness CWE-285 – Improper Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34975
GHSA-2g53-8j24-x4mg