CVE-2026-49248
Received Received - Intake
Symbolic Link Traversal in OneDev Git Server

Publication date: 2026-06-18

Last updated on: 2026-06-18

Assigner: GitHub, Inc.

Description
OneDev is a Git server with CI/CD, kanban, and packages. In versions 15.0.6 and below, TarUtils.untar() creates symbolic links verbatim from TAR entry getLinkName() without validating whether the target is an absolute path. A subsequent file entry in the same archive traverses the symlink, writing to arbitrary server-side locations. This is exploitable by any authenticated user with CI Job write access β€” no admin interaction required. This is an incomplete fix bypass of CVE-2021-21251 (GHSA-2w6j-wc8c-9mq2): that patch blocked .. path segments but did not address absolute symlink targets. This issue has been fixed in version 15.0.7.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-18
Last Modified
2026-06-18
Generated
2026-06-19
AI Q&A
2026-06-19
EPSS Evaluated
N/A
NVD
CVE-2026-49248
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
onedev onedev to 15.0.7 (exc)
onedev onedev 15.0.7
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-61 The product, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in OneDev, a Git server with CI/CD, kanban, and packages, specifically in versions 15.0.6 and below. The issue is in the TarUtils.untar() function, which creates symbolic links from TAR archive entries without validating if the target path is absolute. Because of this, a subsequent file entry in the same archive can traverse the symlink and write files to arbitrary locations on the server.

This flaw can be exploited by any authenticated user who has CI Job write access, and it does not require any administrator interaction. It is a bypass of a previous fix (CVE-2021-21251) that only blocked relative path traversal (.. segments) but did not address absolute symlink targets. The vulnerability was fixed in version 15.0.7.

Impact Analysis

This vulnerability allows an attacker with CI Job write access to write files to arbitrary locations on the server by exploiting symbolic links in TAR archives. This can lead to unauthorized modification or overwriting of critical files on the server, potentially compromising the integrity and security of the system.

Since no administrator interaction is required, the risk is higher for environments where multiple users have CI Job write permissions. The attacker could use this to escalate privileges, disrupt services, or implant malicious files.

Mitigation Strategies

The vulnerability has been fixed in OneDev version 15.0.7. Immediate mitigation involves upgrading OneDev to version 15.0.7 or later.

Since the vulnerability allows any authenticated user with CI Job write access to exploit it, restricting or reviewing CI Job write permissions can reduce risk until the upgrade is applied.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49248. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart