Skip to main content

OneDev CVE-2026-49248

| EUVDEUVD-2026-37942 HIGH
UNIX Symbolic Link (Symlink) Following (CWE-61)
2026-06-18 GitHub_M
8.3
CVSS 4.0 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
8.3 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.5 MEDIUM

Network-reachable HTTP API, low complexity, requires authenticated user with CI Job write role (PR:L), no user interaction; primitive is arbitrary file write so I:H, with C:N and A:N as direct impacts.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Patch available
Jun 18, 2026 - 22:16 EUVD
Source Code Evidence Fetched
Jun 18, 2026 - 20:45 vuln.today
Analysis Generated
Jun 18, 2026 - 20:45 vuln.today

DescriptionCVE.org

OneDev is a Git server with CI/CD, kanban, and packages. In versions 15.0.6 and below, TarUtils.untar() creates symbolic links verbatim from TAR entry getLinkName() without validating whether the target is an absolute path. A subsequent file entry in the same archive traverses the symlink, writing to arbitrary server-side locations. This is exploitable by any authenticated user with CI Job write access - no admin interaction required. This is an incomplete fix bypass of CVE-2021-21251 (GHSA-2w6j-wc8c-9mq2): that patch blocked .. path segments but did not address absolute symlink targets. This issue has been fixed in version 15.0.7.

AnalysisAI

Arbitrary file write in OneDev 15.0.6 and earlier allows any authenticated user with CI Job write access to overwrite files anywhere on the server filesystem by uploading a crafted TAR archive whose symbolic link entries point to absolute paths outside the extraction directory. The flaw is an incomplete-fix bypass of CVE-2021-21251, which only blocked .. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Authenticate to OneDev with CI Job write role
Delivery
Craft TAR with absolute-path symlink + follow-up file entry
Exploit
Submit archive to a job that invokes TarUtils.untar()
Install
Symlink created verbatim, file write follows link
C2
Overwrite OneDev config, JAR, or authorized_keys
Execute
Trigger reload or reconnect
Impact
Code execution as OneDev service account

Vulnerability AssessmentAI

Exploitation Exploitation requires (1) a reachable OneDev instance at version 15.0.6 or earlier, (2) valid credentials for an account that has been granted CI Job write permission on at least one project - admin is explicitly NOT required, but anonymous access is insufficient - and (3) the ability to supply a TAR archive that OneDev's `TarUtils.untar()` will extract during CI/job processing, with a symlink entry whose `linkName` is an absolute path and a following file entry that writes through it. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Real-world risk is meaningful but bounded by the authentication requirement. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An internal developer or compromised low-privilege account with CI Job write access uploads or references a malicious TAR archive (for example as a build artifact or job dependency) whose first entry is a symlink such as `payload -> /opt/onedev/site/lib/somelib.jar` and whose second entry writes attacker-controlled bytes to `payload`. When OneDev calls `TarUtils.untar()` during job execution, the symlink is created verbatim and the subsequent write follows it, overwriting a server-side JAR, an SSH `authorized_keys` file, or a cron drop-in, which on next load yields code execution as the OneDev service account. …
Remediation Vendor-released patch: OneDev 15.0.7 - upgrade immediately via the standard OneDev upgrade procedure; the fix is delivered through bumped internal module versions (`commons` 3.3.1 and `agent` 2.5.9) per commit 4f8684a, so a partial component update will not suffice and the full 15.0.7 release should be deployed. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all OneDev instances and identify users holding CI Job write permissions; enable enhanced logging on TAR artifact uploads. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Onedev

View all
CVE-2022-39206 CRITICAL POC
9.9 Sep 13

Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. Rated critical severity (CVSS 9.9), this vulnera

CVE-2022-39205 CRITICAL POC
9.8 Sep 13

Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. Rated critical severity (CVSS 9.8), this vulnera

CVE-2022-38301 HIGH POC
8.8 Sep 14

Onedev v7.4.14 contains a path traversal vulnerability which allows attackers to access restricted files and directories

CVE-2024-45309 HIGH POC
8.7 Oct 21

OneDev is a Git server with CI/CD, kanban, and packages. Rated high severity (CVSS 8.7), this vulnerability is remotely

CVE-2022-39208 HIGH POC
7.5 Sep 13

Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. Rated high severity (CVSS 7.5), this vulnerabili

CVE-2021-21246 HIGH POC
7.5 Jan 15

OneDev is an all-in-one devops platform. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no

CVE-2021-21245 CRITICAL
9.8 Jan 15

OneDev is an all-in-one devops platform. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable,

CVE-2021-21242 CRITICAL
9.8 Jan 15

OneDev is an all-in-one devops platform. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable,

CVE-2021-21244 CRITICAL
9.8 Jan 15

OneDev is an all-in-one devops platform. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable,

CVE-2021-21243 CRITICAL
9.8 Jan 15

OneDev is an all-in-one devops platform. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable,

CVE-2022-39207 MEDIUM POC
5.4 Sep 13

Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. Rated medium severity (CVSS 5.4), this vulnerabi

CVE-2023-24828 HIGH
8.8 Feb 08

Onedev is a self-hosted Git Server with CI/CD and Kanban. Rated high severity (CVSS 8.8), this vulnerability is remotely

Share

CVE-2026-49248 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy