Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
A vulnerability was identified in theonedev onedev up to 15.0.5. This vulnerability affects the function canAccessIssue of the file /issues/ of the component Pull Request Handler. Such manipulation of the argument issue leads to improper authorization. It is possible to launch the attack remotely. Upgrading to version 15.0.6 is able to resolve this issue. It is advisable to upgrade the affected component.
AnalysisAI
Improper authorization in OneDev's Pull Request Handler allows authenticated remote attackers to bypass issue access controls. The canAccessIssue function in the /issues/ endpoint of theonedev/onedev versions through 15.0.5 fails to correctly enforce authorization, enabling a low-privileged user to access issues they should not be permitted to view or modify. No public exploit code has been identified at time of analysis, and a vendor-released patch is available in version 15.0.6.
Technical ContextAI
OneDev is a self-hosted Git server and DevOps platform (CPE: cpe:2.3:a:theonedev:onedev:*:*:*:*:*:*:*:*). The vulnerability resides in the canAccessIssue function within the Pull Request Handler component, responsible for determining whether a user has permission to access a given issue object via the /issues/ endpoint. CWE-285 (Improper Authorization) indicates the authorization logic accepts or processes a request without adequately verifying that the requesting user has the necessary permissions - in this case, the issue argument can be manipulated to reference issues outside the caller's authorized scope. This is a classic object-level authorization failure, sometimes referred to as IDOR (Insecure Direct Object Reference) in the context of REST APIs.
RemediationAI
Vendor-released patch: v15.0.6. Upgrade OneDev to version 15.0.6 immediately; the release is available at https://github.com/theonedev/onedev/releases/tag/v15.0.6 with installation guidance at https://docs.onedev.io/category/installation-guide. If immediate upgrade is not feasible, restrict access to the /issues/ endpoint to only trusted, fully-vetted internal users by placing OneDev behind a network access control layer or WAF that enforces project-scoped user segmentation. Additionally, audit existing issue access logs for anomalous cross-project or cross-user access patterns. Note that restricting network access is a compensating control only - it does not fix the underlying authorization logic and should not substitute for patching.
Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. Rated critical severity (CVSS 9.9), this vulnera
Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. Rated critical severity (CVSS 9.8), this vulnera
Onedev v7.4.14 contains a path traversal vulnerability which allows attackers to access restricted files and directories
OneDev is a Git server with CI/CD, kanban, and packages. Rated high severity (CVSS 8.7), this vulnerability is remotely
Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. Rated high severity (CVSS 7.5), this vulnerabili
OneDev is an all-in-one devops platform. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no
OneDev is an all-in-one devops platform. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable,
OneDev is an all-in-one devops platform. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable,
OneDev is an all-in-one devops platform. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable,
OneDev is an all-in-one devops platform. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable,
Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. Rated medium severity (CVSS 5.4), this vulnerabi
Onedev is a self-hosted Git Server with CI/CD and Kanban. Rated high severity (CVSS 8.8), this vulnerability is remotely
Same weakness CWE-285 – Improper Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34976
GHSA-v89h-g8w6-9crx