Description
OneDev is a Git server with CI/CD, kanban, and packages. Prior to 15.0.2, there is behavior that breaks the expected boundary between repository-controlled LFS metadata and server-local filesystem paths. A repository object can steer raw blob reads to arbitrary local files that the server account can access. User with push permission to any repository will be able to access any server files accessible by server process. This vulnerability is fixed in 15.0.2.
Published: 2026-05-14
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an attacker who has push permission to a repository in OneDev to read arbitrary files on the server's filesystem accessible to the server process, using the Git LFS pointer mechanism to bypass normal repository boundaries. This can expose sensitive configuration or credential files, leading to data exposure.

Affected Systems

OneDev Git server. Versions prior to 15.0.2 are affected. The issue is present in all releases that do not incorporate the fix added in 15.0.2.

Risk and Exploitability

The CVSS score of 7.1 indicates a medium to high risk. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog, suggesting it is not yet widely exploited. The attack requires push access to a repository; any user with that permission can trigger the file read, making the risk significant for repositories with broad write access.

Generated by OpenCVE AI on May 14, 2026 at 21:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OneDev to version 15.0.2 or later to receive the fix.
  • Restrict push permissions to trusted users only; consider removing write access from anonymous or external contributors until the update is applied.
  • If an immediate upgrade is not feasible, temporarily disable LFS pointer resolution or remove LFS support from repositories until the patch is installed.

Generated by OpenCVE AI on May 14, 2026 at 21:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 16 May 2026 01:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 14 May 2026 20:45:00 +0000

Type Values Removed Values Added
Description OneDev is a Git server with CI/CD, kanban, and packages. Prior to 15.0.2, there is behavior that breaks the expected boundary between repository-controlled LFS metadata and server-local filesystem paths. A repository object can steer raw blob reads to arbitrary local files that the server account can access. User with push permission to any repository will be able to access any server files accessible by server process. This vulnerability is fixed in 15.0.2.
Title OneDev: Path Traversal (read capability via Git LFS pointer resolution)
Weaknesses CWE-22
References
Metrics cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-16T00:58:52.720Z

Reserved: 2026-05-07T15:30:10.875Z

Link: CVE-2026-44647

cve-icon Vulnrichment

Updated: 2026-05-16T00:58:46.578Z

cve-icon NVD

Status : Deferred

Published: 2026-05-14T21:16:46.967

Modified: 2026-05-15T14:55:57.710

Link: CVE-2026-44647

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T21:30:12Z

Weaknesses