MEDIUM 6.3

CVE-2026-11439: OneDev Project Authorization Bypass (Version 15.0.5)

A vulnerability in OneDev up to version 15.0.5 allows authenticated users to manipulate parent project assignments in a way that bypasses authorization checks. An attacker with valid credentials can exploit the project.parentId parameter in the /projects/ endpoint to gain unauthorized access or make unauthorized changes to project hierarchies. This is a remote, network-accessible flaw that requires an existing user account to exploit.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Weaknesses (CWE)
CWE-266, CWE-285
Affected products
0 configuration(s)
Published / Modified
2026-06-06 / 2026-06-17

NVD description (verbatim)

A vulnerability was found in theonedev onedev up to 15.0.5. Affected by this issue is some unknown functionality of the file /projects/ of the component Parent Project Handler. The manipulation of the argument project.parentId results in improper authorization. The attack may be performed from remote. Upgrading to version 15.0.6 can resolve this issue. It is recommended to upgrade the affected component.

6 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-11439 is an improper authorization vulnerability affecting OneDev's Parent Project Handler component. The flaw exists in the /projects/ endpoint where the project.parentId argument is not properly validated against the authenticated user's permissions. The vulnerability is rooted in insufficient authorization logic (CWE-285) combined with improper privilege assignment (CWE-266), allowing an authenticated attacker to traverse or modify project hierarchies they should not have access to. The attack is unauthenticated from a network perspective (CVSS AV:N) but requires a valid user session (PR:L), making it accessible to any authenticated user of the OneDev instance.

Business impact

Organizations running OneDev depend on project isolation and role-based access controls to manage sensitive code repositories and build pipelines. This vulnerability undermines those protections by allowing a junior developer, contractor, or compromised low-privilege account to view, modify, or disrupt projects outside their designated scope. In a multi-tenant or multi-team environment, this could lead to unauthorized code exposure, CI/CD tampering, or lateral movement to higher-value projects. The impact is magnified in compliance-heavy industries where audit trails and access segregation are critical.

Affected systems

OneDev versions up to and including 15.0.5 are vulnerable. Version 15.0.6 and later contain the fix. Any deployment using an affected version with multiple users or projects is at risk. Self-hosted and cloud-hosted OneDev instances are equally vulnerable if not patched.

Exploitability

Exploitation requires valid OneDev user credentials, which reduces opportunistic attack likelihood but increases insider-threat risk. Once authenticated, the attack is trivial—an attacker simply needs to craft a request with a modified project.parentId value pointing to a project they should not access. The low complexity (AC:L) and straightforward nature of parameter manipulation make this exploitable by attackers with basic web application knowledge. There is no known public exploit kit, and the vulnerability is not tracked in CISA's Known Exploited Vulnerabilities catalog.

Remediation

Immediately upgrade OneDev to version 15.0.6 or later. This is a straightforward patching scenario with no known breaking changes. Organizations unable to patch immediately should restrict network access to OneDev to a trusted subset of users and audit recent project access logs for signs of unauthorized navigation.

Patch guidance

Visit the OneDev release notes and download version 15.0.6 or the latest available release from the official repository. Standard upgrade procedures apply: back up your OneDev instance (including the database), perform the upgrade, and verify that all projects and users are accessible post-upgrade. If you are running a managed or cloud-hosted OneDev service, check with your provider for patch availability and timeline. Verify the fix by testing that non-authorized users can no longer access projects via parent ID manipulation.

Detection guidance

Monitor OneDev request logs for unusual activity in the /projects/ endpoint, particularly POST or PUT requests from low-privilege users targeting projects outside their expected scope. Watch for repeated parent project modifications, especially those targeting high-sensitivity projects. Correlate API logs with user account activity to identify compromised or malicious sessions. Implement logging around project hierarchy changes and alert when a user accesses or modifies a project they have not previously worked with.

Why prioritize this

Although the CVSS score is medium (6.3), the risk should be weighted higher in organizations with strict data segregation requirements. The vulnerability is trivial to exploit once an attacker has any valid account, making it a natural stepping stone for privilege escalation or lateral movement. If your OneDev instance hosts security-sensitive, proprietary, or regulated code, prioritize patching within your next maintenance window.

Risk score, explained

The CVSS 3.1 score of 6.3 (MEDIUM) reflects the requirement for prior authentication (PR:L), which prevents unauthenticated remote exploitation. However, all three impact categories are affected—confidentiality (data exposure), integrity (project modification), and availability (potential disruption)—earning a score above 5.0. The network accessibility (AV:N) and low attack complexity (AC:L) prevent a lower rating. Organizations with strict role-based access controls and compliance requirements should consider this a high-priority fix despite the medium score.

Frequently asked questions

Can an attacker exploit this without a valid OneDev account?

No. The vulnerability requires authentication (PR:L in the CVSS vector), so an attacker must have a valid username and password or session token. However, any user—even one with minimal privileges—can potentially exploit it to access projects outside their intended scope.

Does this allow remote code execution or system-level compromise?

No. This is an authorization bypass, not an RCE vulnerability. An attacker can access or modify project configurations and code within OneDev but cannot execute arbitrary code on the server or escalate to system-level access. The impact is confined to project and data access.

What versions of OneDev are vulnerable?

OneDev versions up to and including 15.0.5 are affected. Version 15.0.6 and later include the fix. Check your current version in the OneDev web interface (typically under Settings > System) and upgrade if necessary.

Are there any workarounds if we cannot patch immediately?

Patching is strongly recommended. If you must delay, restrict OneDev network access to a small trusted group of users, audit all project access in recent logs, and consider implementing additional reverse-proxy or firewall-level access controls. However, these are temporary measures and should not replace patching.

This analysis is provided for informational purposes and reflects publicly available vulnerability data as of the publication date. The vendor, version numbers, and patch status are as reported by the CVE record and should be verified against official OneDev releases and security advisories before making patching decisions. Security teams should conduct their own risk assessment based on their specific deployment, user base, and compliance requirements. This document does not constitute professional security advice or a guarantee of vulnerability impact in your environment. Source: NVD (public-domain), retrieved 2026-07-14. Analysis generated by SEC.co (claude-haiku-4-5).