Description
A vulnerability has been found in theonedev onedev up to 15.0.5. Affected by this vulnerability is an unknown functionality of the file /projects. The manipulation of the argument project.forkedFromId leads to improper authorization. The attack is possible to be carried out remotely. Upgrading to version 15.0.6 addresses this issue. Upgrading the affected component is recommended.
Published: 2026-06-06
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is present in theonedev onedev up to version 15.0.5 and arises from the manipulation of the project.forkedFromId argument in the /projects endpoint. This flaw results in improper authorization, which means that an attacker can bypass the standard access controls for certain project-related operations. Based on the description, it is inferred that the attacker could potentially read, modify or delete project data that should otherwise be restricted.

Affected Systems

Vendors affected are Theonedev with the Onedev product. All installations running version 15.0.5 or earlier are vulnerable. The update to version 15.0.6 addresses the issue; no other affected versions are listed.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity. EPSS information is not available and the vulnerability is not listed in CISA’s KEV catalog. Attackers can exploit the flaw remotely by sending crafted requests to the /projects endpoint that manipulate the project.forkedFromId parameter. Because the influence on authorization is lost, the potential for data exposure or modification exists, but the exact extent depends on the application’s role and permissions model. Overall risk is considered moderate due to the remote nature and the lack of clear prerequisites.

Generated by OpenCVE AI on June 6, 2026 at 19:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Onedev to version 15.0.6 or later to eliminate the improper authorization flaw.
  • Block or restrict access to the /projects endpoint on the network perimeter to reduce exposure to unauthorized requests.
  • Implement logging and monitoring of project-level actions and review access patterns for anomalous activity.

Generated by OpenCVE AI on June 6, 2026 at 19:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 06 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description A vulnerability has been found in theonedev onedev up to 15.0.5. Affected by this vulnerability is an unknown functionality of the file /projects. The manipulation of the argument project.forkedFromId leads to improper authorization. The attack is possible to be carried out remotely. Upgrading to version 15.0.6 addresses this issue. Upgrading the affected component is recommended.
Title theonedev projects improper authorization
First Time appeared Theonedev
Theonedev onedev
Weaknesses CWE-266
CWE-285
CPEs cpe:2.3:a:theonedev:onedev:*:*:*:*:*:*:*:*
Vendors & Products Theonedev
Theonedev onedev
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:ND/RL:OF/RC:C'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X'}

Subscriptions

Theonedev Onedev
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-06T17:00:14.794Z

Reserved: 2026-06-05T22:21:00.483Z

Link: CVE-2026-11438

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-06T17:16:41.713

Modified: 2026-06-06T17:16:41.713

Link: CVE-2026-11438

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-06T19:30:27Z

Weaknesses