CVE-2026-49248 | OneDev is a Git server with CI/CD, kanban, and packages. In … | CVSS 8.3 HIGH

Description

OneDev is a Git server with CI/CD, kanban, and packages. In versions 15.0.6 and below, TarUtils.untar() creates symbolic links verbatim from TAR entry getLinkName() without validating whether the target is an absolute path. A subsequent file entry in the same archive traverses the symlink, writing to arbitrary server-side locations. This is exploitable by any authenticated user with CI Job write access — no admin interaction required. This is an incomplete fix bypass of CVE-2021-21251 (GHSA-2w6j-wc8c-9mq2): that patch blocked .. path segments but did not address absolute symlink targets. This issue has been fixed in version 15.0.7.

Metadata

CVE ID: CVE-2026-49248
State: PUBLISHED
Assigner: GitHub_M
Reserved: 2026-05-28 14:33 UTC
Published: 2026-06-18 19:54 UTC
Last updated: 2026-06-18 19:54 UTC
Primary CWE: CWE-61
CWE-61: UNIX Symbolic Link (Symlink) Following
Vendor / Product: theonedev / onedev
Sources: cve.org · NVD

Severity & Metrics

8.3 HIGH CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N

Affected products (1)

Vendor	Product	Platform	Versions
theonedev	onedev	—	< 15.0.7

Weakness (CWE)

CWE	Source	Description
CWE-61	cna	CWE-61: UNIX Symbolic Link (Symlink) Following

CVSS scores (1)

Score	Severity	Version	Source	Vector
8.3	HIGH	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N

References (2)

https://github.com/theonedev/onedev/security/advisories/GHSA-55g8-94r5-cj37 https://github.com/theonedev/onedev/security/advisories/GHSA-55g8-94r5-cj37
https://github.com/theonedev/onedev/commit/4f8684acebc4bfeefd3c7e23a34a4fd591cb27ad https://github.com/theonedev/onedev/commit/4f8684acebc4bfeefd3c7e23a34a4fd591cb27ad