Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
A vulnerability was found in theonedev onedev up to 15.0.5. Affected by this issue is some unknown functionality of the file /projects/ of the component Parent Project Handler. The manipulation of the argument project.parentId results in improper authorization. The attack may be performed from remote. Upgrading to version 15.0.6 can resolve this issue. It is recommended to upgrade the affected component.
AnalysisAI
Improper authorization in theonedev OneDev versions up to 15.0.5 allows authenticated low-privileged users to manipulate the project.parentId parameter in the /projects/ Parent Project Handler endpoint, bypassing access controls on project hierarchy operations. The CVSS vector (PR:L/AV:N/AC:L) confirms this is a network-exploitable flaw requiring only a low-privilege account with no user interaction. Although the base impact scores are uniformly low (C:L/I:L/A:L), in a self-hosted DevOps platform context - where projects may contain source code, CI/CD pipelines, and secrets - the real-world risk to sensitive deployments exceeds what the 6.3 CVSS score alone conveys. No public exploit or CISA KEV listing exists at time of analysis; an official patch is available as v15.0.6.
Technical ContextAI
OneDev is a self-hosted, open-source Git server and DevOps platform supporting project management, CI/CD pipelines, and code review. The vulnerability resides in the Parent Project Handler component, which governs hierarchical relationships between projects via the /projects/ API endpoint. CWE-285 (Improper Authorization) identifies the root cause as a failure to correctly enforce permission checks on the project.parentId argument - meaning the application authenticates the user but does not adequately verify whether that user holds sufficient rights to assign or manipulate a given project's parent relationship. This is structurally distinct from an authentication bypass in the traditional sense; the user is legitimately logged in, but the server-side authorization gate for parent project reassignment is insufficiently enforced. The CPE string cpe:2.3:a:theonedev:onedev:*:*:*:*:*:*:*:* confirms all variants of the OneDev server application are in scope.
RemediationAI
The primary and recommended remediation is to upgrade OneDev to version 15.0.6 or later, which contains the vendor-released patch. The release is available at https://github.com/theonedev/onedev/releases/tag/v15.0.6, and the CVSS RL:O temporal metric confirms this is an official vendor fix. If an immediate upgrade is not operationally feasible, a compensating control would be to restrict access to the /projects/ API endpoint at the reverse-proxy or network perimeter layer to a known, trusted set of IP ranges or privileged user segments only - noting that this will disrupt legitimate project management workflows for users outside those ranges. Additionally, administrators should audit recent project parent-assignment changes in the OneDev activity log to detect any unauthorized hierarchy modifications that may have occurred prior to patching. No workarounds short of network-layer access restriction are evident from the available data.
Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. Rated critical severity (CVSS 9.9), this vulnera
Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. Rated critical severity (CVSS 9.8), this vulnera
Onedev v7.4.14 contains a path traversal vulnerability which allows attackers to access restricted files and directories
OneDev is a Git server with CI/CD, kanban, and packages. Rated high severity (CVSS 8.7), this vulnerability is remotely
Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. Rated high severity (CVSS 7.5), this vulnerabili
OneDev is an all-in-one devops platform. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no
OneDev is an all-in-one devops platform. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable,
OneDev is an all-in-one devops platform. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable,
OneDev is an all-in-one devops platform. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable,
OneDev is an all-in-one devops platform. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable,
Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. Rated medium severity (CVSS 5.4), this vulnerabi
Onedev is a self-hosted Git Server with CI/CD and Kanban. Rated high severity (CVSS 8.8), this vulnerability is remotely
Same weakness CWE-285 – Improper Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34974
GHSA-q98j-2qw6-gh6w