Which versions of OneDev are affected by CVE-2026-44647?

OneDev Git server versions prior to 15.0.2 contain a path traversal vulnerability that allows authenticated repository contributors to read arbitrary files from the server, posing a direct threat to…. A patch is available.

How to fix or mitigate CVE-2026-44647?

Within 24 hours: Inventory all OneDev Git server instances and identify current version numbers. Within 7 days: Apply vendor patch to upgrade all OneDev installations to version 15.0.2 or later, prioritizing production environments. Within 30 days: Audit access logs for suspicious file read patterns from authenticated users with push permissions and verify no unauthorized data access occurred during the vulnerability window.

OneDev CVE-2026-44647

Q: What is the CVSS score of CVE-2026-44647?

CVE-2026-44647 has a CVSS 4.0 base score of 7.1 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

EUVD-2026-30478 HIGH

Path Traversal (CWE-22)

2026-05-14 security-advisories@github.com

Path Traversal

7.1

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

May 14, 2026 - 22:04 vuln.today

Patch available

May 14, 2026 - 22:02 EUVD

CVE Published

May 14, 2026 - 21:16 nvd

HIGH 7.1

DescriptionNVD

OneDev is a Git server with CI/CD, kanban, and packages. Prior to 15.0.2, there is behavior that breaks the expected boundary between repository-controlled LFS metadata and server-local filesystem paths. A repository object can steer raw blob reads to arbitrary local files that the server account can access. User with push permission to any repository will be able to access any server files accessible by server process. This vulnerability is fixed in 15.0.2.

AnalysisAI

Path traversal in OneDev Git server allows authenticated users with repository push permissions to read arbitrary files accessible to the server process. The vulnerability exploits improper validation of repository-controlled LFS (Large File Storage) metadata to break expected path boundaries, enabling file reads outside intended repository storage. …

RemediationAI

Within 24 hours: Inventory all OneDev Git server instances and identify current version numbers. Within 7 days: Apply vendor patch to upgrade all OneDev installations to version 15.0.2 or later, prioritizing production environments. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-44647 vulnerability details – vuln.today

Back

OneDev CVE-2026-44647

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Analysis

Full analysis requires sign-in

Share

OneDev CVE-2026-44647

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code