CVE-2026-11440
Improper Authorization in OneDev Up to 15.0.5
Publication date: 2026-06-06
Last updated on: 2026-06-06
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| theonedev | onedev | to 15.0.5 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-266 | A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor. |
| CWE-285 | The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in theonedev onedev versions up to 15.0.5, specifically in the REST API endpoint /repositories/{projectId}/default-branch. It involves manipulation of the argument project.defaultBranch, which leads to improper authorization. This means that an attacker can remotely exploit this flaw to perform actions they are not authorized to do.
How can this vulnerability impact me? :
The impact of this vulnerability is that an attacker with network access can remotely exploit the improper authorization to potentially access or modify resources related to the default branch of a project repository. This could lead to unauthorized changes, data exposure, or disruption of normal operations within the affected component.
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to upgrade the affected component theonedev onedev to version 15.0.6 or later.
Upgrading the component is advised to prevent improper authorization caused by manipulation of the project.defaultBranch argument in the REST API.