CVE-2026-11440
Deferred Deferred - Pending Action
Improper Authorization in OneDev Up to 15.0.5

Publication date: 2026-06-06

Last updated on: 2026-06-08

Assigner: VulDB

Description
A vulnerability was determined in theonedev onedev up to 15.0.5. This affects an unknown part of the file /repositories/{projectId}/default-branch of the component REST API. This manipulation of the argument project.defaultBranch causes improper authorization. It is possible to initiate the attack remotely. Upgrading to version 15.0.6 is able to mitigate this issue. Upgrading the affected component is advised.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-06
Last Modified
2026-06-08
Generated
2026-06-27
AI Q&A
2026-06-06
EPSS Evaluated
2026-06-25
NVD
CVE-2026-11440
EUVD
EUVD-2026-34975
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
theonedev onedev to 15.0.5 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
CWE-266 A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability involves improper authorization in the OneDev REST API, allowing unauthorized access to modify the default branch of a project repository. This can lead to unauthorized data manipulation or exposure within project repositories.

Such unauthorized access and potential data exposure could impact compliance with standards and regulations like GDPR and HIPAA, which require strict access controls and protection of sensitive data. However, the provided information does not explicitly describe the direct effects on compliance with these regulations.

Detection Guidance

This vulnerability involves improper authorization in the REST API endpoint /repositories/{projectId}/default-branch of the onedev system, allowing manipulation of the project.defaultBranch argument. Detection would involve monitoring or testing access to this specific REST API endpoint to check if unauthorized users can modify the default branch.

Suggested detection methods include sending crafted HTTP requests to the REST API endpoint /repositories/{projectId}/default-branch to verify if unauthorized users can change the default branch without proper permissions.

Example commands using curl to test this might be:

  • curl -X PUT -H "Authorization: Bearer <unauthorized_token>" -d '{"defaultBranch":"malicious-branch"}' https://<onedev-server>/repositories/<projectId>/default-branch
  • Observe the response to see if the request is accepted or rejected. Acceptance indicates the vulnerability.

Note that these commands require knowledge of the API endpoint and an unauthorized token or session to test improper authorization.

Executive Summary

This vulnerability exists in theonedev onedev versions up to 15.0.5, specifically in the REST API endpoint /repositories/{projectId}/default-branch. It involves manipulation of the argument project.defaultBranch, which leads to improper authorization. This means that an attacker can remotely exploit this flaw to perform actions they are not authorized to do.

Impact Analysis

The impact of this vulnerability is that an attacker with network access can remotely exploit the improper authorization to potentially access or modify resources related to the default branch of a project repository. This could lead to unauthorized changes, data exposure, or disruption of normal operations within the affected component.

Mitigation Strategies

The immediate step to mitigate this vulnerability is to upgrade the affected component theonedev onedev to version 15.0.6 or later.

Upgrading the component is advised to prevent improper authorization caused by manipulation of the project.defaultBranch argument in the REST API.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11440. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart