CVE-2026-11439
Deferred Deferred - Pending Action
Improper Authorization in OneDev Parent Project Handler

Publication date: 2026-06-06

Last updated on: 2026-06-08

Assigner: VulDB

Description
A vulnerability was found in theonedev onedev up to 15.0.5. Affected by this issue is some unknown functionality of the file /projects/ of the component Parent Project Handler. The manipulation of the argument project.parentId results in improper authorization. The attack may be performed from remote. Upgrading to version 15.0.6 can resolve this issue. It is recommended to upgrade the affected component.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-06
Last Modified
2026-06-08
Generated
2026-06-27
AI Q&A
2026-06-06
EPSS Evaluated
2026-06-25
NVD
CVE-2026-11439
EUVD
EUVD-2026-34974
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
theonedev onedev to 15.0.5 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
CWE-266 A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

The primary mitigation step is to upgrade the onedev system to version 15.0.6, which addresses this vulnerability.

Additionally, it is recommended to implement stricter authorization checks on the project.parentId parameter to prevent unauthorized modifications.

Monitoring and auditing project parent changes can help detect and prevent exploitation until the upgrade is applied.

Compliance Impact

The vulnerability allows improper authorization through manipulation of the project.parentId parameter, enabling attackers to move projects into unauthorized namespaces and alter permission hierarchies. This can lead to unauthorized access to private repository contents and sensitive operational details.

Such unauthorized access and manipulation of project data could potentially lead to violations of data protection regulations like GDPR or HIPAA, which require strict access controls and protection of sensitive information.

Therefore, this vulnerability may negatively impact compliance with these standards by undermining the confidentiality and integrity of protected data.

Executive Summary

This vulnerability affects the OneDev system, specifically the Parent Project Handler component related to the /projects/ file. It involves improper authorization due to manipulation of the project.parentId argument. Attackers can exploit this flaw remotely to rebind parent projects without proper permissions, effectively moving projects into unauthorized namespaces and altering permission hierarchies.

Impact Analysis

The vulnerability can allow an attacker to bypass authorization controls and manipulate project parent relationships. This can lead to unauthorized access or modification of project structures, potentially exposing private repositories or altering permission settings. Such unauthorized changes can compromise project integrity and confidentiality.

Detection Guidance

Detection of this vulnerability involves monitoring requests that manipulate the project.parentId parameter in the /projects/ component of the onedev system. Suspicious or unauthorized attempts to change the parent project association remotely may indicate exploitation attempts.

Since the vulnerability relates to improper authorization on project.parentId manipulation, network or application logs should be inspected for unusual API calls or parameter changes involving project.parentId.

Specific commands are not provided in the available resources, but general approaches include using web server or application logs to grep for requests containing 'project.parentId' or monitoring API traffic for unauthorized changes.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11439. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart