Description
A vulnerability was determined in theonedev onedev up to 15.0.5. This affects an unknown part of the file /repositories/{projectId}/default-branch of the component REST API. This manipulation of the argument project.defaultBranch causes improper authorization. It is possible to initiate the attack remotely. Upgrading to version 15.0.6 is able to mitigate this issue. Upgrading the affected component is advised.
Published: 2026-06-06
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A manipulation of the project.defaultBranch argument in the default‑branch endpoint of theonedev’s REST API can bypass standard authorization checks, allowing an attacker to read or potentially modify information about the default branch of any project for which they are not authorized; this flaw is an authentication/authorization weakness that can lead to unauthorized access to repository metadata.

Affected Systems

Theonedev Onedev versions up to and including 15.0.5 are affected; any deployment exposing the REST API endpoint /repositories/{projectId}/default-branch without proper access controls can be exploited.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate impact, and no EPSS score is available, so current exploitation likelihood is unknown; the flaw is remotely exploitable via the REST API, requiring only network reachability to the server, and it is not currently listed in CISA KEV, though the absence of publicly known exploits does not reduce the risk of a custom or internal attack.

Generated by OpenCVE AI on June 6, 2026 at 18:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Onedev to version 15.0.6 or later
  • Restrict access to the /repositories/{projectId}/default-branch endpoint, allowing only properly authenticated users
  • Implement logging and monitoring of unauthorized access attempts to the REST API

Generated by OpenCVE AI on June 6, 2026 at 18:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 06 Jun 2026 17:45:00 +0000

Type Values Removed Values Added
Description A vulnerability was determined in theonedev onedev up to 15.0.5. This affects an unknown part of the file /repositories/{projectId}/default-branch of the component REST API. This manipulation of the argument project.defaultBranch causes improper authorization. It is possible to initiate the attack remotely. Upgrading to version 15.0.6 is able to mitigate this issue. Upgrading the affected component is advised.
Title theonedev REST API default-branch improper authorization
First Time appeared Theonedev
Theonedev onedev
Weaknesses CWE-266
CWE-285
CPEs cpe:2.3:a:theonedev:onedev:*:*:*:*:*:*:*:*
Vendors & Products Theonedev
Theonedev onedev
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:ND/RL:OF/RC:C'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X'}

Subscriptions

Theonedev Onedev
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-06T17:30:11.510Z

Reserved: 2026-06-05T22:21:05.442Z

Link: CVE-2026-11440

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-06T18:16:53.243

Modified: 2026-06-06T18:16:53.243

Link: CVE-2026-11440

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-06T20:00:16Z

Weaknesses