CVE-2026-11440 | A vulnerability was determined in theonedev onedev up to 15.… | CVSS 6.3 MEDIUM

Description

A vulnerability was determined in theonedev onedev up to 15.0.5. This affects an unknown part of the file /repositories/{projectId}/default-branch of the component REST API. This manipulation of the argument project.defaultBranch causes improper authorization. It is possible to initiate the attack remotely. Upgrading to version 15.0.6 is able to mitigate this issue. Upgrading the affected component is advised.

Metadata

CVE ID: CVE-2026-11440
State: PUBLISHED
Assigner: VulDB
Reserved: 2026-06-05 22:21 UTC
Published: 2026-06-06 17:30 UTC
Last updated: 2026-06-08 16:30 UTC
Primary CWE: CWE-285
Improper Authorization
Vendor / Product: theonedev / onedev
Sources: cve.org · NVD

Severity & Metrics

6.3 MEDIUM CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C

SSVC — CISA Coordinator

Exploitation: none
Automatable: no
Tech. Impact: partial

Affected products (1)

Vendor	Product	Platform	Versions
theonedev	onedev	—	15.0.0, 15.0.1, 15.0.2, 15.0.3 …

Weakness (CWE)

CWE	Source	Description
CWE-266	cna	Incorrect Privilege Assignment
CWE-285	cna	Improper Authorization

CVSS scores (4)

Score	Severity	Version	Source	Vector
6.5	N/D	2.0	cna	AV:N/AC:L/Au:S/C:P/I:P/A:P/E:ND/RL:OF/RC:C
6.3	MEDIUM	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C
6.3	MEDIUM	3.0	cna	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C
5.3	MEDIUM	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X

References (6)

VDB-369020 | theonedev REST API default-branch improper authorization https://vuldb.com/vuln/369020
VDB-369020 | CTI Indicators (IOB, IOC, TTP, IOA) https://vuldb.com/vuln/369020/cti
CVE-2026-11440 | CVE Analysis and Report https://vuldb.com/cve/CVE-2026-11440
Submit #822956 | theonedev onedev 15.05 BOPLA https://vuldb.com/submit/822956
https://www.cnblogs.com/aibot/p/19994142
https://github.com/theonedev/onedev/releases/tag/v15.0.6