A vulnerability was determined in theonedev onedev up to 15.0.5. This affects an unknown part of the file /repositories/{projectId}/default-branch of the component REST API. This manipulation of the argument project.defaultBranch causes improper authorization. It is possible to initiate the attack remotely. Upgrading to version 15.0.6 is able to mitigate this issue. Upgrading the affected component is advised.
History

Mon, 08 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Sat, 06 Jun 2026 17:45:00 +0000

Type Values Removed Values Added
Description A vulnerability was determined in theonedev onedev up to 15.0.5. This affects an unknown part of the file /repositories/{projectId}/default-branch of the component REST API. This manipulation of the argument project.defaultBranch causes improper authorization. It is possible to initiate the attack remotely. Upgrading to version 15.0.6 is able to mitigate this issue. Upgrading the affected component is advised.
Title theonedev REST API default-branch improper authorization
First Time appeared Theonedev
Theonedev onedev
Weaknesses CWE-266
CWE-285
CPEs cpe:2.3:a:theonedev:onedev:*:*:*:*:*:*:*:*
Vendors & Products Theonedev
Theonedev onedev
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:ND/RL:OF/RC:C'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X'}


cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-06-06T17:30:11.510Z

Updated: 2026-06-08T16:30:48.196Z

Reserved: 2026-06-05T22:21:05.442Z

Link: CVE-2026-11440

cve-icon Vulnrichment

Updated: 2026-06-08T16:30:43.461Z

cve-icon NVD

Status : Deferred

Published: 2026-06-06T18:16:53.243

Modified: 2026-06-08T14:57:14.757

Link: CVE-2026-11440

cve-icon Redhat

No data.