A vulnerability was determined in theonedev onedev up to 15.0.5. This affects an unknown part of the file /repositories/{projectId}/default-branch of the component REST API. This manipulation of the argument project.defaultBranch causes improper authorization. It is possible to initiate the attack remotely. Upgrading to version 15.0.6 is able to mitigate this issue. Upgrading the affected component is advised.
PUBLISHED5.2ApplicationCWE-285CWE-266
theonedev REST API default-branch improper authorization
Problem type
Affected products
theonedev
onedev
15.0.0 - AFFECTED
15.0.1 - AFFECTED
15.0.2 - AFFECTED
15.0.3 - AFFECTED
15.0.4 - AFFECTED
15.0.5 - AFFECTED
15.0.6 - UNAFFECTED
References
VDB-369020 | theonedev REST API default-branch improper authorization
https://vuldb.com/vuln/369020
VDB-369020 | CTI Indicators (IOB, IOC, TTP, IOA)
https://vuldb.com/vuln/369020/cti
CVE-2026-11440 | CVE Analysis and Report
https://vuldb.com/cve/CVE-2026-11440
Submit #822956 | theonedev onedev 15.05 BOPLA
https://vuldb.com/submit/822956
cnblogs.com
https://www.cnblogs.com/aibot/p/19994142
github.com
https://github.com/theonedev/onedev/releases/tag/v15.0.6
GitHub Security Advisories
GHSA-2g53-8j24-x4mg
A vulnerability was determined in theonedev onedev up to 15.0.5. This affects an unknown part of...
https://github.com/advisories/GHSA-2g53-8j24-x4mgA vulnerability was determined in theonedev onedev up to 15.0.5. This affects an unknown part of the file /repositories/{projectId}/default-branch of the component REST API. This manipulation of the argument project.defaultBranch causes improper authorization. It is possible to initiate the attack remotely. Upgrading to version 15.0.6 is able to mitigate this issue. Upgrading the affected component is advised.
nvd.nist.gov
https://nvd.nist.gov/vuln/detail/CVE-2026-11440
github.com
https://github.com/theonedev/onedev/releases/tag/v15.0.6
vuldb.com
https://vuldb.com/cve/CVE-2026-11440
vuldb.com
https://vuldb.com/submit/822956
vuldb.com
https://vuldb.com/vuln/369020
vuldb.com
https://vuldb.com/vuln/369020/cti
cnblogs.com
https://www.cnblogs.com/aibot/p/19994142
github.com
https://github.com/advisories/GHSA-2g53-8j24-x4mg
JSON source
https://cveawg.mitre.org/api/cve/CVE-2026-11440Click to expand
{
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"cveMetadata": {
"cveId": "CVE-2026-11440",
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"dateUpdated": "2026-06-06T17:30:11.510Z",
"dateReserved": "2026-06-05T22:21:05.442Z",
"datePublished": "2026-06-06T17:30:11.510Z",
"state": "PUBLISHED"
},
"containers": {
"cna": {
"providerMetadata": {
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB",
"dateUpdated": "2026-06-06T17:30:11.510Z"
},
"title": "theonedev REST API default-branch improper authorization",
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was determined in theonedev onedev up to 15.0.5. This affects an unknown part of the file /repositories/{projectId}/default-branch of the component REST API. This manipulation of the argument project.defaultBranch causes improper authorization. It is possible to initiate the attack remotely. Upgrading to version 15.0.6 is able to mitigate this issue. Upgrading the affected component is advised."
}
],
"affected": [
{
"vendor": "theonedev",
"product": "onedev",
"cpes": [
"cpe:2.3:a:theonedev:onedev:*:*:*:*:*:*:*:*"
],
"modules": [
"REST API"
],
"versions": [
{
"version": "15.0.0",
"status": "affected"
},
{
"version": "15.0.1",
"status": "affected"
},
{
"version": "15.0.2",
"status": "affected"
},
{
"version": "15.0.3",
"status": "affected"
},
{
"version": "15.0.4",
"status": "affected"
},
{
"version": "15.0.5",
"status": "affected"
},
{
"version": "15.0.6",
"status": "unaffected"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"lang": "en",
"description": "Improper Authorization",
"cweId": "CWE-285",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"lang": "en",
"description": "Incorrect Privilege Assignment",
"cweId": "CWE-266",
"type": "CWE"
}
]
}
],
"references": [
{
"url": "https://vuldb.com/vuln/369020",
"name": "VDB-369020 | theonedev REST API default-branch improper authorization",
"tags": [
"vdb-entry",
"technical-description"
]
},
{
"url": "https://vuldb.com/vuln/369020/cti",
"name": "VDB-369020 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
]
},
{
"url": "https://vuldb.com/cve/CVE-2026-11440",
"name": "CVE-2026-11440 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
]
},
{
"url": "https://vuldb.com/submit/822956",
"name": "Submit #822956 | theonedev onedev 15.05 BOPLA",
"tags": [
"third-party-advisory"
]
},
{
"url": "https://www.cnblogs.com/aibot/p/19994142",
"tags": [
"related"
]
},
{
"url": "https://github.com/theonedev/onedev/releases/tag/v15.0.6",
"tags": [
"patch"
]
}
],
"metrics": [
{},
{
"cvssV3_1": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C",
"baseScore": 6.3,
"baseSeverity": "MEDIUM"
}
},
{
"cvssV3_0": {
"version": "3.0",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C",
"baseScore": 6.3,
"baseSeverity": "MEDIUM"
}
},
{
"cvssV2_0": {
"version": "2.0",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:ND/RL:OF/RC:C",
"baseScore": 6.5
}
}
],
"timeline": [
{
"time": "2026-06-05T02:00:00.000Z",
"lang": "en",
"value": "VulDB entry created"
},
{
"time": "2026-06-06T00:00:00.000Z",
"lang": "en",
"value": "Advisory disclosed"
},
{
"time": "2026-06-06T00:26:19.000Z",
"lang": "en",
"value": "VulDB entry last update"
}
],
"credits": [
{
"lang": "en",
"value": "aibot88 (VulDB User)",
"type": "reporter"
}
]
}
}
}