OneDev: Path Traversal (read capability via Git LFS pointer resolution)

7.1 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Description

OneDev is a Git server with CI/CD, kanban, and packages. Prior to 15.0.2, there is behavior that breaks the expected boundary between repository-controlled LFS metadata and server-local filesystem paths. A repository object can steer raw blob reads to arbitrary local files that the server account can access. User with push permission to any repository will be able to access any server files accessible by server process. This vulnerability is fixed in 15.0.2.

Basic Information

ID CVE-2026-44647

Source GitHub_M

Published May 14, 2026 at 20:08

Affected Product

Vendor theonedev

Product onedev

Version < 15.0.2

Affected Versions theonedev onedev < 15.0.2

CWE Classification

CWE-22

References

github.com /theonedev/onedev/security/advisories/GHSA-59wq-74xg-w85v

{
    "lastseen": "",
    "description": "OneDev is a Git server with CI/CD, kanban, and packages. Prior to 15.0.2, there is behavior that breaks the expected boundary between repository-controlled LFS metadata and server-local filesystem paths. A repository object can steer raw blob reads to arbitrary local files that the server account can access. User with push permission to any repository will be able to access any server files accessible by server process. This vulnerability is fixed in 15.0.2.",
    "published": "2026-05-14T20:08:10.326Z",
    "modified": "2026-05-14T20:08:10.326Z",
    "type": "cve",
    "title": "OneDev: Path Traversal (read capability via Git LFS pointer resolution)",
    "source": "GitHub_M",
    "references": "https://github.com/theonedev/onedev/security/advisories/GHSA-59wq-74xg-w85v",
    "id": "CVE-2026-44647",
    "bulletinFamily": "",
    "cwe": [
        "CWE-22"
    ],
    "cvelist": null,
    "sourceData": "theonedev onedev < 15.0.2",
    "sourceHref": "",
    "cvss": {
        "score": 7.1,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "onedev",
    "version": "< 15.0.2",
    "vendor": "theonedev",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

OneDev: Path Traversal (read capability via Git LFS pointer resolution)_CVE-2026-44647