Skip to main content

OneDev CVE-2026-44647

| EUVDEUVD-2026-30478 HIGH
Path Traversal (CWE-22)
2026-05-14 security-advisories@github.com
7.1
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.1 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Analysis Generated
May 14, 2026 - 22:04 vuln.today
Patch available
May 14, 2026 - 22:02 EUVD
CVE Published
May 14, 2026 - 21:16 nvd
HIGH 7.1

DescriptionGitHub Advisory

OneDev is a Git server with CI/CD, kanban, and packages. Prior to 15.0.2, there is behavior that breaks the expected boundary between repository-controlled LFS metadata and server-local filesystem paths. A repository object can steer raw blob reads to arbitrary local files that the server account can access. User with push permission to any repository will be able to access any server files accessible by server process. This vulnerability is fixed in 15.0.2.

AnalysisAI

Path traversal in OneDev Git server allows authenticated users with repository push permissions to read arbitrary files accessible to the server process. The vulnerability exploits improper validation of repository-controlled LFS (Large File Storage) metadata to break expected path boundaries, enabling file reads outside intended repository storage. A vendor-released patch is available in version 15.0.2. CVSS 7.1 reflects high confidentiality impact via network-based attack with low complexity requiring only low-privilege authentication.

Technical ContextAI

OneDev is a self-hosted Git server with integrated CI/CD, kanban boards, and package management capabilities. This vulnerability affects the Git LFS (Large File Storage) implementation, which uses pointer files in the repository to reference large binary objects stored separately on the server. The CWE-22 path traversal flaw occurs when OneDev processes LFS metadata files that repositories control - the server fails to properly sanitize or validate file paths embedded in these metadata structures before using them for filesystem operations. This allows repository-controlled data to escape its expected storage boundary and direct the server to read arbitrary local files. The CVSS 4.0 vector confirms network attack vector (AV:N) with low complexity (AC:L) requiring low privileges (PR:L), resulting in high confidentiality impact (VC:H) with no integrity or availability impact.

RemediationAI

Upgrade to OneDev version 15.0.2 or later, which contains the vendor-released patch addressing the LFS metadata path validation issue. The fix is available through the project's GitHub releases at https://github.com/theonedev/onedev. Organizations unable to immediately upgrade should implement compensating controls: restrict repository push permissions to only fully trusted users (conduct access review); enable audit logging for all LFS operations to detect potential exploitation attempts; run the OneDev server process with minimal filesystem permissions using principle of least privilege, restricting access to sensitive directories via OS-level access controls or containerization; consider filesystem isolation through chroot jails or containers to limit blast radius of arbitrary file reads. Note that restricting LFS functionality entirely may break legitimate large file workflows. Review server logs for unusual LFS metadata operations or file access patterns to non-repository paths as potential indicators of exploitation attempts.

Share

CVE-2026-44647 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy