CVE-2026-11438
Improper Authorization in OneDev via Forked Project ID Manipulation
Publication date: 2026-06-06
Last updated on: 2026-06-06
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| theonedev | onedev | to 15.0.5 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-266 | A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor. |
| CWE-285 | The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects the OneDev project management system up to version 15.0.5. It involves improper authorization caused by manipulation of the argument project.forkedFromId in the /projects functionality. An attacker can exploit this remotely to perform unauthorized cross-project repository forking, allowing them to replicate private repository contents without proper read permissions.
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized access and replication of private repositories by exploiting the forkedFromId parameter. This means sensitive or confidential project data could be exposed to unauthorized users. Additionally, it may allow attackers to alter project permissions and namespaces, potentially compromising project integrity and confidentiality.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves monitoring for unauthorized manipulation of the project.forkedFromId parameter in requests to the /projects endpoint, which could indicate attempts to exploit improper authorization.
Specifically, network or application logs should be inspected for unusual or unauthorized cross-project repository forking activities or unexpected changes involving the forkedFromId parameter.
Since the vulnerability is related to REST API calls, commands or tools that capture and analyze HTTP requests to the OneDev server can be used.
- Use network packet capture tools like tcpdump or Wireshark to filter HTTP traffic to the OneDev server and look for POST or PUT requests to /projects containing the forkedFromId parameter.
- Example tcpdump command: tcpdump -i <interface> -A 'tcp port 80 or tcp port 443' | grep 'forkedFromId'
- Check OneDev application logs for authorization failures or suspicious project fork operations.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade the OneDev software to version 15.0.6 or later, as this version addresses the improper authorization issue related to the forkedFromId parameter.
Until the upgrade can be applied, restrict access to the /projects endpoint to trusted users only and monitor for suspicious activity involving project forking.
Implement stricter authorization checks and review permission settings to minimize the risk of unauthorized repository forking.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthorized cross-project repository forking by exploiting the forkedFromId parameter, enabling attackers to replicate private repository contents without proper read authorization.
This unauthorized access to potentially sensitive or private data could lead to violations of data protection regulations such as GDPR or HIPAA, which require strict controls over access to personal or sensitive information.
Therefore, the vulnerability may impact compliance by exposing data to unauthorized parties, undermining confidentiality and access control requirements mandated by these standards.