theonedev REST API default-branch improper authorization_CVE-2026-11440

5.3 / 10

MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X

Description

A vulnerability was determined in theonedev onedev up to 15.0.5. This affects an unknown part of the file /repositories/{projectId}/default-branch of the component REST API. This manipulation of the argument project.defaultBranch causes improper authorization. It is possible to initiate the attack remotely. Upgrading to version 15.0.6 is able to mitigate this issue. Upgrading the affected component is advised.

Basic Information

ID CVE-2026-11440

Source VulDB

Published Jun 6, 2026 at 17:30

Affected Product

Vendor theonedev

Product onedev

Version 15.0.0

Affected Versions theonedev onedev 15.0.0
theonedev onedev 15.0.1
theonedev onedev 15.0.2
theonedev onedev 15.0.3
theonedev onedev 15.0.4
theonedev onedev 15.0.5

CWE Classification

CWE-285 CWE-266

References

{
    "lastseen": "",
    "description": "A vulnerability was determined in theonedev onedev up to 15.0.5. This affects an unknown part of the file /repositories/{projectId}/default-branch of the component REST API. This manipulation of the argument project.defaultBranch causes improper authorization. It is possible to initiate the attack remotely. Upgrading to version 15.0.6 is able to mitigate this issue. Upgrading the affected component is advised.",
    "published": "2026-06-06T17:30:11.510Z",
    "modified": "2026-06-06T17:30:11.510Z",
    "type": "cve",
    "title": "theonedev REST API default-branch improper authorization",
    "source": "VulDB",
    "references": "https://vuldb.com/vuln/369020\nhttps://vuldb.com/vuln/369020/cti\nhttps://vuldb.com/cve/CVE-2026-11440\nhttps://vuldb.com/submit/822956\nhttps://www.cnblogs.com/aibot/p/19994142\nhttps://github.com/theonedev/onedev/releases/tag/v15.0.6",
    "id": "CVE-2026-11440",
    "bulletinFamily": "",
    "cwe": [
        "CWE-285",
        "CWE-266"
    ],
    "cvelist": null,
    "sourceData": "theonedev onedev 15.0.0\ntheonedev onedev 15.0.1\ntheonedev onedev 15.0.2\ntheonedev onedev 15.0.3\ntheonedev onedev 15.0.4\ntheonedev onedev 15.0.5",
    "sourceHref": "",
    "cvss": {
        "score": 5.3,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "onedev",
    "version": "15.0.0",
    "vendor": "theonedev",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}