CVE-2026-11441: theonedev onedev Authorization Bypass in Pull Request Handler
A flaw exists in theonedev onedev versions up to 15.0.5 that allows authenticated users to bypass authorization checks when accessing pull request issues. An attacker with valid credentials can manipulate how the system validates whether they have permission to view or modify specific issues, potentially gaining unauthorized access to sensitive project data. The vulnerability is straightforward to exploit once an attacker has credentials, and it requires only network access to the affected instance.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
- Weaknesses (CWE)
- CWE-266, CWE-285
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-06 / 2026-06-17
NVD description (verbatim)
A vulnerability was identified in theonedev onedev up to 15.0.5. This vulnerability affects the function canAccessIssue of the file /issues/ of the component Pull Request Handler. Such manipulation of the argument issue leads to improper authorization. It is possible to launch the attack remotely. Upgrading to version 15.0.6 is able to resolve this issue. It is advisable to upgrade the affected component.
6 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability stems from improper authorization logic in the canAccessIssue function within the Pull Request Handler component (located at /issues/). The flaw allows an authenticated attacker to bypass authorization checks by manipulating the issue argument passed to this function. This represents a classic case of insecure direct object reference (IDOR) combined with weak access control validation. Because the pull request handler fails to properly verify whether the requesting user has permission to access a specific issue before returning data or allowing modifications, an attacker can enumerate or modify issues across the application. The vulnerability is remotely exploitable and requires only valid authentication—a low bar for exploitation in many environments.
Business impact
Compromise of project confidentiality and integrity across your onedev instance. Authenticated attackers can view issues they should not have access to, potentially exposing sensitive bug reports, security findings, roadmap details, or customer information embedded in issue descriptions and comments. Additionally, attackers could alter issue state, descriptions, or metadata to disrupt workflows or cover tracks. In development-heavy organizations, this can compromise intellectual property, delay release cycles through sabotage, and breach customer trust if sensitive customer-reported issues are exposed. The severity is heightened in multi-tenant or shared-project environments where issue access control is essential to data isolation.
Affected systems
theonedev onedev versions 15.0.5 and earlier are affected. Organizations running any deployment of onedev up to and including version 15.0.5 should assume exposure. This includes self-hosted instances across all operating systems and cloud deployments. The vulnerability affects the core pull request and issue handling functionality, meaning any onedev instance using pull requests is vulnerable.
Exploitability
Exploitation is low-friction. An attacker must possess valid credentials to the onedev instance, but no special privileges are required—any authenticated user can attempt the attack. The vulnerability does not require user interaction, complex timing, or multiple exploitation steps. The attack can be executed through direct API calls or by manipulating web requests, making it suitable for both manual and automated exploitation. However, exploitation is limited to attackers with legitimate access to the system, which provides some natural containment compared to unauthenticated flaws.
Remediation
Upgrade all affected onedev instances to version 15.0.6 or later. This version resolves the authorization bypass by implementing proper access control validation in the canAccessIssue function. There are no known workarounds for this vulnerability; patching is the only mitigation path. Organizations should prioritize this upgrade, particularly if their onedev instance contains multi-user or multi-project environments where data isolation is critical.
Patch guidance
1. Review your current onedev version via the administration dashboard or CLI. 2. Back up your onedev instance and database before patching. 3. Download and test onedev 15.0.6 in a non-production environment first to ensure compatibility with custom plugins or configurations. 4. Apply the upgrade following theonedev documentation for your deployment method (Docker, standalone, etc.). 5. Verify after upgrade that pull request and issue access controls function correctly and that users can only access issues within their assigned projects.
Detection guidance
Look for access patterns indicating unauthorized issue queries: (1) Users accessing issues outside their assigned projects in access logs or audit trails. (2) Repeated 200 OK responses to /issues/ requests with unusual or high-numbered issue IDs. (3) Users modifying issue descriptions, state, or metadata that they did not create or are not assigned to. (4) Spike in API calls to the pull request handler from a single authenticated user. Monitor onedev audit logs for 'issue accessed' or 'issue modified' events associated with users who lack project membership or issue assignment. Network monitoring can surface suspicious patterns if users repeatedly fetch issues across many projects in a short window.
Why prioritize this
Prioritize this as a near-term remediation target. While it requires authentication, the CVSS 6.3 (MEDIUM) score reflects meaningful impact across confidentiality, integrity, and availability. The vulnerability directly compromises data isolation in multi-project environments and is trivial to exploit once credentials are obtained. Organizations with shared development teams, customer-facing issue tracking, or sensitive roadmap information should patch urgently. Those in heavily regulated industries should treat this with higher urgency given the potential for unauthorized access to regulated data.
Risk score, explained
The CVSS 3.1 score of 6.3 (MEDIUM) reflects: (1) Network-accessible attack vector (AV:N), allowing remote exploitation without special network positioning. (2) Low attack complexity (AC:L), as no special conditions or timing are required. (3) Low privilege requirement (PR:L), indicating any authenticated user can attempt the exploit. (4) Low impact across confidentiality, integrity, and availability (C:L, I:L, A:L), meaning the flaw grants partial unauthorized access to project data and limited ability to modify or disrupt it. The score appropriately captures that this is a privilege-escalation flaw within a collaborative tool, not a system-wide compromise, but one that nonetheless erodes data isolation and should not be ignored.
Frequently asked questions
Can this vulnerability be exploited without valid credentials?
No. The vulnerability explicitly requires PR:L (low privilege), meaning an attacker must possess valid login credentials to the onedev instance. This does not mean the risk is low—insider threats, compromised accounts, and shared credentials are all common attack vectors—but it does provide a natural boundary compared to unauthenticated flaws.
Does upgrading to 15.0.6 require downtime?
Verify against the theonedev advisory for your specific deployment method. Many modern applications support rolling or zero-downtime upgrades, but this depends on your architecture. Plan a maintenance window and test the upgrade in a staging environment first to minimize risk.
How can we quickly identify if this vulnerability has been exploited in our instance?
Review audit logs and access records for the /issues/ endpoint, specifically looking for authenticated users accessing issues outside their project scope. Check for modifications to issues where the user was not the creator or assignee. If your onedev instance logs API calls or HTTP requests, search for patterns of sequential or random issue ID requests from a single user.
Does this affect only pull requests, or all issues in onedev?
The vulnerability resides in the Pull Request Handler component's canAccessIssue function, meaning it primarily affects issues associated with pull requests. However, the canAccessIssue function likely governs all issue access control within that handler, so assume broad issue access bypass unless the vendor specifies otherwise. Verify your exposure by reviewing the affected codebase in the upgrade notes.
This analysis is based on the official CVE record and vendor guidance as of the publication date. CVSS scores and affected product versions are sourced directly from the CVE entry and should be verified against theonedev's official security advisories. Exploit code, proofs-of-concept, and detailed attack payloads are intentionally omitted from this report. Organizations should verify patch applicability and compatibility with their specific onedev deployment and configuration before applying updates. This report does not constitute legal, compliance, or professional security advice; engage qualified security personnel to assess your specific exposure and remediation strategy. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10070MEDIUMmacrozheng mall Admin Authorization Bypass in /admin/update/
- CVE-2026-10215MEDIUMDolibarr Leave Request API Authorization Bypass
- CVE-2026-10218MEDIUMGoClaw Improper Authorization Vulnerability (CVSS 5.4)
- CVE-2026-10269MEDIUMHost Header Authorization Bypass in Decolua 9router
- CVE-2026-10272MEDIUMStudent-Management-System Authorization Bypass in Admin Panel
- CVE-2026-10282MEDIUMBottelet DaybydayCRM Authorization Bypass in DocumentsController
- CVE-2026-10284MEDIUMImproper Authorization in DevaslanPHP Project-Management Comment Functions
- CVE-2026-10285MEDIUMDevaslanPHP Improper Authorization in Ticket Handler