Skip to main content

OneDev CVE-2026-11441

| EUVDEUVD-2026-34976 MEDIUM
Improper Authorization (CWE-285)
2026-06-06 VulDB GHSA-v89h-g8w6-9crx
5.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Source Code Evidence Fetched
Jun 06, 2026 - 18:30 vuln.today
Analysis Generated
Jun 06, 2026 - 18:30 vuln.today
CVSS changed
Jun 06, 2026 - 18:22 NVD
6.3 (MEDIUM) 5.3 (MEDIUM)

DescriptionCVE.org

A vulnerability was identified in theonedev onedev up to 15.0.5. This vulnerability affects the function canAccessIssue of the file /issues/ of the component Pull Request Handler. Such manipulation of the argument issue leads to improper authorization. It is possible to launch the attack remotely. Upgrading to version 15.0.6 is able to resolve this issue. It is advisable to upgrade the affected component.

AnalysisAI

Improper authorization in OneDev's Pull Request Handler allows authenticated remote attackers to bypass issue access controls. The canAccessIssue function in the /issues/ endpoint of theonedev/onedev versions through 15.0.5 fails to correctly enforce authorization, enabling a low-privileged user to access issues they should not be permitted to view or modify. No public exploit code has been identified at time of analysis, and a vendor-released patch is available in version 15.0.6.

Technical ContextAI

OneDev is a self-hosted Git server and DevOps platform (CPE: cpe:2.3:a:theonedev:onedev:*:*:*:*:*:*:*:*). The vulnerability resides in the canAccessIssue function within the Pull Request Handler component, responsible for determining whether a user has permission to access a given issue object via the /issues/ endpoint. CWE-285 (Improper Authorization) indicates the authorization logic accepts or processes a request without adequately verifying that the requesting user has the necessary permissions - in this case, the issue argument can be manipulated to reference issues outside the caller's authorized scope. This is a classic object-level authorization failure, sometimes referred to as IDOR (Insecure Direct Object Reference) in the context of REST APIs.

RemediationAI

Vendor-released patch: v15.0.6. Upgrade OneDev to version 15.0.6 immediately; the release is available at https://github.com/theonedev/onedev/releases/tag/v15.0.6 with installation guidance at https://docs.onedev.io/category/installation-guide. If immediate upgrade is not feasible, restrict access to the /issues/ endpoint to only trusted, fully-vetted internal users by placing OneDev behind a network access control layer or WAF that enforces project-scoped user segmentation. Additionally, audit existing issue access logs for anomalous cross-project or cross-user access patterns. Note that restricting network access is a compensating control only - it does not fix the underlying authorization logic and should not substitute for patching.

More in Onedev

View all
CVE-2022-39206 CRITICAL POC
9.9 Sep 13

Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. Rated critical severity (CVSS 9.9), this vulnera

CVE-2022-39205 CRITICAL POC
9.8 Sep 13

Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. Rated critical severity (CVSS 9.8), this vulnera

CVE-2022-38301 HIGH POC
8.8 Sep 14

Onedev v7.4.14 contains a path traversal vulnerability which allows attackers to access restricted files and directories

CVE-2024-45309 HIGH POC
8.7 Oct 21

OneDev is a Git server with CI/CD, kanban, and packages. Rated high severity (CVSS 8.7), this vulnerability is remotely

CVE-2022-39208 HIGH POC
7.5 Sep 13

Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. Rated high severity (CVSS 7.5), this vulnerabili

CVE-2021-21246 HIGH POC
7.5 Jan 15

OneDev is an all-in-one devops platform. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no

CVE-2021-21245 CRITICAL
9.8 Jan 15

OneDev is an all-in-one devops platform. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable,

CVE-2021-21242 CRITICAL
9.8 Jan 15

OneDev is an all-in-one devops platform. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable,

CVE-2021-21244 CRITICAL
9.8 Jan 15

OneDev is an all-in-one devops platform. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable,

CVE-2021-21243 CRITICAL
9.8 Jan 15

OneDev is an all-in-one devops platform. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable,

CVE-2022-39207 MEDIUM POC
5.4 Sep 13

Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. Rated medium severity (CVSS 5.4), this vulnerabi

CVE-2023-24828 HIGH
8.8 Feb 08

Onedev is a self-hosted Git Server with CI/CD and Kanban. Rated high severity (CVSS 8.8), this vulnerability is remotely

Share

CVE-2026-11441 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy