CVE-2026-11438

Source
https://cve.org/CVERecord?id=CVE-2026-11438
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-11438.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-11438
Published
2026-06-06T17:00:14.794Z
Modified
2026-07-08T07:55:29.146938423Z
Severity
  • 5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X CVSS Calculator
Summary
theonedev projects improper authorization
Details

A vulnerability has been found in theonedev onedev up to 15.0.5. Affected by this vulnerability is an unknown functionality of the file /projects. The manipulation of the argument project.forkedFromId leads to improper authorization. The attack is possible to be carried out remotely. Upgrading to version 15.0.6 addresses this issue. Upgrading the affected component is recommended.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/11xxx/CVE-2026-11438.json",
    "cna_assigner": "VulDB",
    "cwe_ids": [
        "CWE-266",
        "CWE-285"
    ]
}
References

Affected packages

Git / github.com/theonedev/onedev

Affected ranges

Type
GIT
Repo
https://github.com/theonedev/onedev
Events
Database specific
{
    "source": [
        "AFFECTED_FIELD",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "15.0.0"
        },
        {
            "last_affected": "15.0.0"
        },
        {
            "introduced": "15.0.1"
        },
        {
            "last_affected": "15.0.1"
        },
        {
            "introduced": "15.0.2"
        },
        {
            "last_affected": "15.0.2"
        },
        {
            "introduced": "15.0.3"
        },
        {
            "last_affected": "15.0.3"
        },
        {
            "introduced": "15.0.4"
        },
        {
            "last_affected": "15.0.4"
        },
        {
            "introduced": "15.0.5"
        },
        {
            "last_affected": "15.0.5"
        }
    ]
}

Affected versions

15.*
15.0.0
15.0.1
15.0.2
15.0.3
15.0.4
15.0.5
v15.*
v15.0.0
v15.0.1
v15.0.2
v15.0.3
v15.0.4
v15.0.5

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-11438.json"