CVE-2026-11438: OneDev Authorization Bypass in Project Forking – Patch Guidance
A security flaw in OneDev versions up to 15.0.5 allows authenticated users to manipulate project forking parameters in a way that bypasses authorization controls. An attacker with valid credentials can supply a crafted project ID in the forking mechanism to gain unauthorized access or modify projects they should not have permission to touch. This is a remote vulnerability requiring only standard user login—no special network access or user interaction needed beyond the attack itself.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
- Weaknesses (CWE)
- CWE-266, CWE-285
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-06 / 2026-06-17
NVD description (verbatim)
A vulnerability has been found in theonedev onedev up to 15.0.5. Affected by this vulnerability is an unknown functionality of the file /projects. The manipulation of the argument project.forkedFromId leads to improper authorization. The attack is possible to be carried out remotely. Upgrading to version 15.0.6 addresses this issue. Upgrading the affected component is recommended.
6 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-11438 is an improper authorization vulnerability (CWE-266, CWE-285) in the OneDev /projects endpoint. The vulnerability exists in the project forking functionality, specifically in the handling of the project.forkedFromId parameter. An authenticated attacker can craft requests that manipulate this parameter to bypass authorization checks, potentially allowing them to fork projects from or to contexts where they lack explicit permission. The vulnerability is remotely exploitable and requires only valid authentication credentials. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) indicates network accessibility, low complexity, and impact across confidentiality, integrity, and availability.
Business impact
This vulnerability introduces risk of unauthorized project access and modification within OneDev instances. Depending on the sensitivity of projects stored in the system, attackers could gain visibility into private repositories, tamper with project configurations or code, or disrupt project availability. The impact is limited to authenticated users, reducing blast radius in environments with strong credential hygiene, but in shared or multi-tenant deployments, a compromised account could be leveraged to access or modify unrelated projects. For organizations using OneDev as a primary code repository platform, this represents a data confidentiality and integrity concern.
Affected systems
OneDev versions 15.0.5 and earlier are vulnerable. OneDev 15.0.6 and later versions have remediated this issue. The vulnerability does not appear on published vendor advisories as affecting downstream products, but any system running the affected OneDev versions in production is at risk.
Exploitability
The vulnerability is exploitable by any user with valid OneDev credentials. No additional privileges, special network positioning, or user interaction is required. The attack surface is the /projects endpoint, which is typically accessible to authenticated users within an organization. Exploitability is straightforward from a technical perspective, though the impact is restricted to the scope of projects the authenticated user can interact with under normal circumstances—meaning an attacker must first obtain or compromise a legitimate account.
Remediation
The primary remediation is to upgrade OneDev to version 15.0.6 or later. Organizations should prioritize this patch given the medium severity rating and the ease of exploitation by authenticated users. If immediate patching is not possible, review access controls and monitor for suspicious project forking activity.
Patch guidance
Upgrade to OneDev version 15.0.6 or a later release. Verify compatibility with your current deployment configuration before upgrading, particularly if you are running custom plugins or extensions. Test in a non-production environment first to confirm no regressions. The upgrade path from 15.0.5 to 15.0.6 should be straightforward; consult the OneDev release notes for any specific migration or configuration steps.
Detection guidance
Monitor /projects endpoint logs for unusual or high-volume forking requests, particularly those originating from service accounts or low-privilege users. Look for requests where the project.forkedFromId parameter values do not match the user's normal project scope. Track authentication logs for accounts that fork multiple projects in atypical patterns. If your OneDev instance logs API request payloads, inspect them for parameter manipulation attempts on project creation or forking operations. Baseline normal forking behavior for your organization to identify anomalies.
Why prioritize this
This vulnerability merits prompt attention because it combines remote network access, low attack complexity, and the need for only standard user authentication. While the CVSS score of 6.3 is medium, the authorization bypass nature and ease of exploitation make it worth prioritizing ahead of vulnerabilities with similar scores that require higher privileges or greater complexity. In multi-user environments, the risk compounds with each potential compromised or malicious account.
Risk score, explained
The CVSS 3.1 score of 6.3 (MEDIUM) reflects a vulnerability with network accessibility (AV:N) and low attack complexity (AC:L), but limited to authenticated users (PR:L). The impact is partial across confidentiality, integrity, and availability (C:L/I:L/A:L)—not total system compromise, but meaningful risk of data exposure and modification. The lack of scope change (S:U) means the vulnerability is confined to the affected component's security domain. The score appropriately captures a significant but not critical threat.
Frequently asked questions
Who can exploit this vulnerability?
Any user with valid OneDev credentials can attempt exploitation. This includes legitimate employees with accounts, contractors, or anyone whose credentials have been compromised. Privileged admin accounts pose greater risk due to their broader project access.
Can this vulnerability be exploited from outside the network?
Yes. The CVSS vector indicates network accessibility (AV:N), meaning the vulnerability can be exploited remotely over the network. However, the attacker must authenticate with valid credentials first—there is no unauthenticated attack path.
Will patching to 15.0.6 break my existing workflows?
OneDev typically maintains backward compatibility across patch releases. Version 15.0.6 is a patch release addressing a specific authorization flaw. Review the OneDev release notes and test in a staging environment first to confirm compatibility with your custom configurations.
How do I know if this vulnerability was exploited in my OneDev instance?
Review authentication logs for unusual account activity, inspect forking operation logs for requests with unexpected project IDs, and audit project history for unauthorized changes or forks. If you have access to API request logs, search for manipulation of the project.forkedFromId parameter.
This analysis is based on publicly available vulnerability data and OneDev vendor advisories. Organizations are responsible for verifying patch applicability, testing in their environments, and confirming no additional vulnerabilities exist in their specific deployments. This document does not constitute professional security advice; consult with your security team and vendor before implementing changes. No exploit code or detailed attack instructions are provided. The vulnerability details presented here reflect the current understanding as of the publication date. Source: NVD (public-domain), retrieved 2026-07-14. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10070MEDIUMmacrozheng mall Admin Authorization Bypass in /admin/update/
- CVE-2026-10215MEDIUMDolibarr Leave Request API Authorization Bypass
- CVE-2026-10218MEDIUMGoClaw Improper Authorization Vulnerability (CVSS 5.4)
- CVE-2026-10269MEDIUMHost Header Authorization Bypass in Decolua 9router
- CVE-2026-10272MEDIUMStudent-Management-System Authorization Bypass in Admin Panel
- CVE-2026-10282MEDIUMBottelet DaybydayCRM Authorization Bypass in DocumentsController
- CVE-2026-10284MEDIUMImproper Authorization in DevaslanPHP Project-Management Comment Functions
- CVE-2026-10285MEDIUMDevaslanPHP Improper Authorization in Ticket Handler