CVE-2026-11440
published 2026-06-06CVE-2026-11440: A vulnerability was determined in theonedev onedev up to 15.0.5. This affects an unknown part of the file /repositories/{projectId}/default-branch of the…
PriorityP341medium6.3CVSS 3.1
AVNACLPRLUINSUCLILAL
EPSS
0.21%
11.6th percentile
A vulnerability was determined in theonedev onedev up to 15.0.5. This affects an unknown part of the file /repositories/{projectId}/default-branch of the component REST API. This manipulation of the argument project.defaultBranch causes improper authorization. It is possible to initiate the attack remotely. Upgrading to version 15.0.6 is able to mitigate this issue. Upgrading the affected component is advised.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| theonedev | onedev | — | — |
| theonedev | onedev | — | — |
| theonedev | onedev | — | — |
| theonedev | onedev | — | — |
| theonedev | onedev | — | — |
| theonedev | onedev | — | — |
CVSS provenance
nvdv3.16.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
nvdv4.05.3MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
theonedev up to 15.0.5 REST API default-branch project.defaultBranch improper authorization
vuldb·2026-06-06·CVSS 6.3
CVE-2026-11440 [MEDIUM] theonedev up to 15.0.5 REST API default-branch project.defaultBranch improper authorization
A vulnerability was found in theonedev onedev up to 15.0.5. It has been rated as critical. This affects an unknown part of the file /repositories/{projectId}/default-branch of the component REST API. This manipulation of the argument project.defaultBranch causes improper authorization.
The identification of this vulnerability is CVE-2026-11440. It is possible to initiate the attack remotely. There is no exploit available.
Upgrading the affected component is advised.
GHSA
A vulnerability was determined in theonedev onedev up to 15.0.5.
ghsa_unreviewed·2026-06-06
CVE-2026-11440 [MEDIUM] CWE-266 A vulnerability was determined in theonedev onedev up to 15.0.5.
A vulnerability was determined in theonedev onedev up to 15.0.5. This affects an unknown part of the file /repositories/{projectId}/default-branch of the component REST API. This manipulation of the argument project.defaultBranch causes improper authorization. It is possible to initiate the attack remotely. Upgrading to version 15.0.6 is able to mitigate this issue. Upgrading the affected component is advised.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-06
Published