MEDIUM 6.3

CVE-2026-11440: OneDev Authorization Bypass in Default Branch API Endpoint

A vulnerability in OneDev versions up to 15.0.5 allows authenticated users to bypass authorization controls when modifying project default branch settings through the REST API. An attacker with login credentials can manipulate the `project.defaultBranch` parameter to gain unauthorized access or make changes they shouldn't be permitted to make. The vulnerability requires valid authentication to exploit but poses a moderate risk due to the potential for privilege escalation or unauthorized repository configuration changes.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Weaknesses (CWE)
CWE-266, CWE-285
Affected products
0 configuration(s)
Published / Modified
2026-06-06 / 2026-06-17

NVD description (verbatim)

A vulnerability was determined in theonedev onedev up to 15.0.5. This affects an unknown part of the file /repositories/{projectId}/default-branch of the component REST API. This manipulation of the argument project.defaultBranch causes improper authorization. It is possible to initiate the attack remotely. Upgrading to version 15.0.6 is able to mitigate this issue. Upgrading the affected component is advised.

6 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-11440 is an improper authorization flaw in the OneDev REST API endpoint `/repositories/{projectId}/default-branch`. The vulnerability stems from insufficient authorization checks on the `project.defaultBranch` parameter manipulation. Classified under CWE-266 (Improper Privilege Management) and CWE-285 (Improper Authorization), the flaw allows authenticated users to perform actions beyond their intended permissions. The CVSS 3.1 score of 6.3 reflects a network-accessible attack vector with low complexity, requiring only low-level privileges (authenticated session), affecting confidentiality, integrity, and availability equally.

Business impact

Exploitation could allow junior developers, read-only users, or other restricted account holders to reconfigure critical repository settings, such as changing the default branch. This could disrupt CI/CD pipelines, cause code merges to unexpected branches, or enable unauthorized code promotion to production. Organizations relying on branch-based access controls to enforce separation of duties face compromised security boundaries. The impact is amplified in teams where branch protection rules depend on accurate role-based authorization.

Affected systems

OneDev versions 15.0.5 and earlier are affected. The vulnerability specifically impacts instances with the REST API enabled and users holding any level of authenticated access. Organizations running older versions of OneDev should assume exposure. Upgrading to version 15.0.6 or later mitigates the issue.

Exploitability

This vulnerability requires low barriers to exploitation: an attacker must have valid login credentials (low privilege level sufficient) and network access to the OneDev instance. The attack is straightforward—a direct API call with modified parameters—and requires no user interaction or special conditions. No CISA KEV listing indicates active in-the-wild exploitation as of the publication date, but the simplicity of the attack and common organizational exposure to insider threats make this a credible risk requiring prompt remediation.

Remediation

Upgrade OneDev to version 15.0.6 or later. This version includes authorization fixes for the `/repositories/{projectId}/default-branch` endpoint. Organizations should also conduct a brief audit of recent branch configuration changes in the logs to detect any unauthorized modifications made while running vulnerable versions.

Patch guidance

Apply the OneDev 15.0.6 security update as soon as feasible. Verify the patch has been applied by checking the OneDev version in the administration interface. If you cannot upgrade immediately due to operational constraints, restrict API access to trusted networks or disable the affected endpoint where possible. Test the patch in a staging environment first to ensure compatibility with existing automation or integrations that may depend on this API.

Detection guidance

Monitor OneDev API logs and audit trails for unusual calls to `/repositories/{projectId}/default-branch`, particularly from low-privilege accounts or unexpected sources. Check git logs for unexpected default branch changes. Search authentication logs for accounts performing repository configuration changes outside normal patterns. SIEM rules should flag modification requests to this endpoint coming from users lacking repository admin roles.

Why prioritize this

Although rated CVSS 6.3 (MEDIUM), this vulnerability should be prioritized for rapid patching because: (1) it requires only basic authentication, lowering the attacker cost; (2) default branch manipulation can silently compromise code integrity; (3) it directly weakens access control boundaries that many teams rely on; and (4) the attack is trivial to execute once credentials are obtained, making it attractive for both insider threats and compromised accounts.

Risk score, explained

The CVSS 6.3 MEDIUM score reflects the authentication requirement (PR:L) and equal impact across confidentiality, integrity, and availability (C:L/I:L/A:L). However, the actual organizational risk may be higher if OneDev is used in environments with strong insider threat concerns, mandatory branch protection workflows, or environments where repository configuration is critical to compliance. The score does not capture the business context of code integrity and deployment pipeline security.

Frequently asked questions

Do I need valid credentials to exploit this?

Yes. The vulnerability requires authenticated access—an attacker cannot exploit it with an anonymous session. However, even low-privilege accounts (e.g., read-only developers) can trigger the flaw, making compromised accounts or insider threats realistic attack vectors.

What exactly can an attacker change with this vulnerability?

An attacker can manipulate the `project.defaultBranch` parameter in API calls to the `/repositories/{projectId}/default-branch` endpoint, potentially redirecting default merge targets or bypassing branch protection policies tied to specific branches.

Is this vulnerability actively being exploited?

As of the current date, CVE-2026-11440 is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog. However, the ease of exploitation means organizations should not rely on this as justification for delay.

Can I work around this without upgrading immediately?

Temporarily restrict API access via network-level controls (firewall rules, API gateway policies) or disable non-essential API features. However, upgrading to 15.0.6 is the proper fix and should be prioritized.

This analysis is based on publicly available vulnerability data and vendor advisories current as of the publication date. Exploitation depends on specific OneDev deployment configurations, network exposure, and access controls not detailed in this advisory. Organizations should verify all patch version numbers and compatibility notes against official OneDev release notes before deployment. This document does not constitute legal, compliance, or risk assessment advice; consult your security team and organizational risk framework for prioritization decisions. Source: NVD (public-domain), retrieved 2026-07-14. Analysis generated by SEC.co (claude-haiku-4-5).