CVE-2026-11439
Improper Authorization in OneDev Parent Project Handler
Publication date: 2026-06-06
Last updated on: 2026-06-06
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| theonedev | onedev | to 15.0.5 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-266 | A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor. |
| CWE-285 | The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows improper authorization through manipulation of the project.parentId parameter, enabling attackers to move projects into unauthorized namespaces and alter permission hierarchies. This can lead to unauthorized access to private repository contents and sensitive operational details.
Such unauthorized access and manipulation of project data could potentially lead to violations of data protection regulations like GDPR or HIPAA, which require strict access controls and protection of sensitive information.
Therefore, this vulnerability may negatively impact compliance with these standards by undermining the confidentiality and integrity of protected data.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade the onedev system to version 15.0.6, which addresses this vulnerability.
Additionally, it is recommended to implement stricter authorization checks on the project.parentId parameter to prevent unauthorized modifications.
Monitoring and auditing project parent changes can help detect and prevent exploitation until the upgrade is applied.
Can you explain this vulnerability to me?
This vulnerability affects the OneDev system, specifically the Parent Project Handler component related to the /projects/ file. It involves improper authorization due to manipulation of the project.parentId argument. Attackers can exploit this flaw remotely to rebind parent projects without proper permissions, effectively moving projects into unauthorized namespaces and altering permission hierarchies.
How can this vulnerability impact me? :
The vulnerability can allow an attacker to bypass authorization controls and manipulate project parent relationships. This can lead to unauthorized access or modification of project structures, potentially exposing private repositories or altering permission settings. Such unauthorized changes can compromise project integrity and confidentiality.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves monitoring requests that manipulate the project.parentId parameter in the /projects/ component of the onedev system. Suspicious or unauthorized attempts to change the parent project association remotely may indicate exploitation attempts.
Since the vulnerability relates to improper authorization on project.parentId manipulation, network or application logs should be inspected for unusual API calls or parameter changes involving project.parentId.
Specific commands are not provided in the available resources, but general approaches include using web server or application logs to grep for requests containing 'project.parentId' or monitoring API traffic for unauthorized changes.