Description
A vulnerability was found in theonedev onedev up to 15.0.5. Affected by this issue is some unknown functionality of the file /projects/ of the component Parent Project Handler. The manipulation of the argument project.parentId results in improper authorization. The attack may be performed from remote. Upgrading to version 15.0.6 can resolve this issue. It is recommended to upgrade the affected component.
Published: 2026-06-06
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Theonedev onedev versions up to 15.0.5 contain a flaw that allows an attacker to manipulate the project.parentId parameter through the Parent Project Handler, enabling improper authorization. This flaw permits users without appropriate privileges to alter project relationships or view and edit projects they should not access, thereby compromising the confidentiality and integrity of project data. The weakness originates from insufficient privilege checks, as categorized by CWE‑266 and CWE‑285.

Affected Systems

The vulnerability affects theonedev onedev software, specifically all releases up to and including version 15.0.5. Any deployment using these versions is at risk.

Risk and Exploitability

The CVSS score of 5.3 denotes moderate severity, yet the vulnerability can be exploited remotely. The EPSS score is unavailable, and the issue is not listed in the CISA KEV catalog, indicating that while exploitation is possible, it may not be widely used in the wild. Attackers would need network access to the onedev instance and could manipulate the project.parentId parameter to gain unauthorized access or modify project relationships without owning proper permissions.

Generated by OpenCVE AI on June 6, 2026 at 18:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade theonedev to version 15.0.6 or later.
  • Restrict permissions for the Parent Project Handler so that only privileged users can modify project.parentId and review role settings to prevent unauthorized changes.
  • Monitor application logs for suspicious manipulation of project.parentId values or unexpected changes to project parent relationships and investigate or block any anomalous activity.

Generated by OpenCVE AI on June 6, 2026 at 18:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 06 Jun 2026 17:45:00 +0000

Type Values Removed Values Added
Description A vulnerability was found in theonedev onedev up to 15.0.5. Affected by this issue is some unknown functionality of the file /projects/ of the component Parent Project Handler. The manipulation of the argument project.parentId results in improper authorization. The attack may be performed from remote. Upgrading to version 15.0.6 can resolve this issue. It is recommended to upgrade the affected component.
Title theonedev Parent Project projects improper authorization
First Time appeared Theonedev
Theonedev onedev
Weaknesses CWE-266
CWE-285
CPEs cpe:2.3:a:theonedev:onedev:*:*:*:*:*:*:*:*
Vendors & Products Theonedev
Theonedev onedev
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:ND/RL:OF/RC:C'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X'}

Subscriptions

Theonedev Onedev
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-06T17:15:08.905Z

Reserved: 2026-06-05T22:21:02.958Z

Link: CVE-2026-11439

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-06T18:16:53.063

Modified: 2026-06-06T18:16:53.063

Link: CVE-2026-11439

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-06T20:00:16Z

Weaknesses