CVE-2026-11440

Source
https://cve.org/CVERecord?id=CVE-2026-11440
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-11440.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-11440
Published
2026-06-06T17:30:11.510Z
Modified
2026-07-08T07:55:29.194948417Z
Severity
  • 5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X CVSS Calculator
Summary
theonedev REST API default-branch improper authorization
Details

A vulnerability was determined in theonedev onedev up to 15.0.5. This affects an unknown part of the file /repositories/{projectId}/default-branch of the component REST API. This manipulation of the argument project.defaultBranch causes improper authorization. It is possible to initiate the attack remotely. Upgrading to version 15.0.6 is able to mitigate this issue. Upgrading the affected component is advised.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/11xxx/CVE-2026-11440.json",
    "cna_assigner": "VulDB",
    "cwe_ids": [
        "CWE-266",
        "CWE-285"
    ]
}
References

Affected packages

Git / github.com/theonedev/onedev

Affected ranges

Type
GIT
Repo
https://github.com/theonedev/onedev
Events
Database specific
{
    "extracted_events": [
        {
            "introduced": "15.0.0"
        },
        {
            "last_affected": "15.0.0"
        },
        {
            "introduced": "15.0.1"
        },
        {
            "last_affected": "15.0.1"
        },
        {
            "introduced": "15.0.2"
        },
        {
            "last_affected": "15.0.2"
        },
        {
            "introduced": "15.0.3"
        },
        {
            "last_affected": "15.0.3"
        },
        {
            "introduced": "15.0.4"
        },
        {
            "last_affected": "15.0.4"
        },
        {
            "introduced": "15.0.5"
        },
        {
            "last_affected": "15.0.5"
        }
    ],
    "source": [
        "AFFECTED_FIELD",
        "REFERENCES"
    ]
}

Affected versions

15.*
15.0.0
15.0.1
15.0.2
15.0.3
15.0.4
15.0.5
v15.*
v15.0.0
v15.0.1
v15.0.2
v15.0.3
v15.0.4
v15.0.5

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-11440.json"