Skip to main content

OneDev CVE-2026-11440

| EUVDEUVD-2026-34975 MEDIUM
Improper Authorization (CWE-285)
2026-06-06 VulDB GHSA-2g53-8j24-x4mg
5.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
CVSS changed
Jun 06, 2026 - 18:22 NVD
6.3 (MEDIUM) 5.3 (MEDIUM)
Source Code Evidence Fetched
Jun 06, 2026 - 18:15 vuln.today
Analysis Generated
Jun 06, 2026 - 18:15 vuln.today

DescriptionCVE.org

A vulnerability was determined in theonedev onedev up to 15.0.5. This affects an unknown part of the file /repositories/{projectId}/default-branch of the component REST API. This manipulation of the argument project.defaultBranch causes improper authorization. It is possible to initiate the attack remotely. Upgrading to version 15.0.6 is able to mitigate this issue. Upgrading the affected component is advised.

AnalysisAI

{projectId}/default-branch` endpoint. All OneDev versions through 15.0.5 are affected; the CVSS vector (PR:L) confirms a low-privilege authenticated user is sufficient to trigger the flaw remotely with no user interaction required. No public exploit code has been identified at time of analysis, and the issue is not listed in the CISA KEV catalog; vendor-released patch v15.0.6 is available.

Technical ContextAI

OneDev is a self-hosted Git server and DevOps platform (CPE: cpe:2.3:a:theonedev:onedev:*:*:*:*:*:*:*:*). The vulnerability resides in its REST API component, specifically the endpoint /repositories/{projectId}/default-branch, which handles setting a repository's default branch via the project.defaultBranch argument. The root cause is CWE-285 (Improper Authorization): the API endpoint fails to adequately enforce authorization controls before accepting branch modification requests, allowing a caller with only low privileges to affect project configuration beyond their intended permission scope. This class of flaw typically arises when authorization checks are missing or bypassed at the API layer, even when the UI enforces the same operation correctly.

RemediationAI

Upgrade OneDev to version 15.0.6 or later, which contains the vendor-released fix for this improper authorization issue; the patched release is available at https://github.com/theonedev/onedev/releases/tag/v15.0.6. If an immediate upgrade is not possible, access to the REST API endpoint /repositories/{projectId}/default-branch (HTTP methods that modify the default branch) should be restricted at the network or reverse-proxy layer to only those IP ranges or authenticated roles that legitimately require it - this reduces exposure but does not eliminate the underlying flaw. Restricting general user account creation or tightening role permissions to limit the pool of low-privilege accounts that can reach the API is an additional compensating control with the trade-off of potentially impacting normal workflow automation. Monitoring API access logs for unexpected calls to the /repositories/*/default-branch path can provide early detection of exploitation attempts.

More in Onedev

View all
CVE-2022-39206 CRITICAL POC
9.9 Sep 13

Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. Rated critical severity (CVSS 9.9), this vulnera

CVE-2022-39205 CRITICAL POC
9.8 Sep 13

Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. Rated critical severity (CVSS 9.8), this vulnera

CVE-2022-38301 HIGH POC
8.8 Sep 14

Onedev v7.4.14 contains a path traversal vulnerability which allows attackers to access restricted files and directories

CVE-2024-45309 HIGH POC
8.7 Oct 21

OneDev is a Git server with CI/CD, kanban, and packages. Rated high severity (CVSS 8.7), this vulnerability is remotely

CVE-2022-39208 HIGH POC
7.5 Sep 13

Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. Rated high severity (CVSS 7.5), this vulnerabili

CVE-2021-21246 HIGH POC
7.5 Jan 15

OneDev is an all-in-one devops platform. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no

CVE-2021-21245 CRITICAL
9.8 Jan 15

OneDev is an all-in-one devops platform. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable,

CVE-2021-21242 CRITICAL
9.8 Jan 15

OneDev is an all-in-one devops platform. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable,

CVE-2021-21244 CRITICAL
9.8 Jan 15

OneDev is an all-in-one devops platform. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable,

CVE-2021-21243 CRITICAL
9.8 Jan 15

OneDev is an all-in-one devops platform. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable,

CVE-2022-39207 MEDIUM POC
5.4 Sep 13

Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. Rated medium severity (CVSS 5.4), this vulnerabi

CVE-2023-24828 HIGH
8.8 Feb 08

Onedev is a self-hosted Git Server with CI/CD and Kanban. Rated high severity (CVSS 8.8), this vulnerability is remotely

Share

CVE-2026-11440 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy