CVE-2026-11438
published 2026-06-06CVE-2026-11438: A vulnerability has been found in theonedev onedev up to 15.0.5. Affected by this vulnerability is an unknown functionality of the file /projects. The…
PriorityP340medium6.3CVSS 3.1
AVNACLPRLUINSUCLILAL
EPSS
0.21%
11.7th percentile
A vulnerability has been found in theonedev onedev up to 15.0.5. Affected by this vulnerability is an unknown functionality of the file /projects. The manipulation of the argument project.forkedFromId leads to improper authorization. The attack is possible to be carried out remotely. Upgrading to version 15.0.6 addresses this issue. Upgrading the affected component is recommended.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| theonedev | onedev | — | — |
| theonedev | onedev | — | — |
| theonedev | onedev | — | — |
| theonedev | onedev | — | — |
| theonedev | onedev | — | — |
| theonedev | onedev | — | — |
CVSS provenance
nvdv3.16.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
nvdv4.05.3MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
theonedev up to 15.0.5 /projects project.forkedFromId improper authorization
vuldb·2026-06-06·CVSS 6.3
CVE-2026-11438 [MEDIUM] theonedev up to 15.0.5 /projects project.forkedFromId improper authorization
A vulnerability was found in theonedev onedev up to 15.0.5. It has been classified as critical. Affected by this vulnerability is an unknown functionality of the file /projects. The manipulation of the argument project.forkedFromId leads to improper authorization.
This vulnerability is uniquely identified as CVE-2026-11438. The attack is possible to be carried out remotely. No exploit exists.
Upgrading the affected component is recommended.
GHSA
A vulnerability has been found in theonedev onedev up to 15.0.5.
ghsa_unreviewed·2026-06-06
CVE-2026-11438 [MEDIUM] CWE-266 A vulnerability has been found in theonedev onedev up to 15.0.5.
A vulnerability has been found in theonedev onedev up to 15.0.5. Affected by this vulnerability is an unknown functionality of the file /projects. The manipulation of the argument project.forkedFromId leads to improper authorization. The attack is possible to be carried out remotely. Upgrading to version 15.0.6 addresses this issue. Upgrading the affected component is recommended.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-06
Published