CVE-2026-11441
published 2026-06-06CVE-2026-11441: A vulnerability was identified in theonedev onedev up to 15.0.5. This vulnerability affects the function canAccessIssue of the file /issues/ of the component…
PriorityP341medium6.3CVSS 3.1
AVNACLPRLUINSUCLILAL
EPSS
0.21%
11.6th percentile
A vulnerability was identified in theonedev onedev up to 15.0.5. This vulnerability affects the function canAccessIssue of the file /issues/ of the component Pull Request Handler. Such manipulation of the argument issue leads to improper authorization. It is possible to launch the attack remotely. Upgrading to version 15.0.6 is able to resolve this issue. It is advisable to upgrade the affected component.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| theonedev | onedev | — | — |
| theonedev | onedev | — | — |
| theonedev | onedev | — | — |
| theonedev | onedev | — | — |
| theonedev | onedev | — | — |
| theonedev | onedev | — | — |
CVSS provenance
nvdv3.16.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
nvdv4.05.3MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
theonedev up to 15.0.5 Pull Request /issues/ canAccessIssue issue improper authorization
vuldb·2026-06-06·CVSS 6.3
CVE-2026-11441 [MEDIUM] theonedev up to 15.0.5 Pull Request /issues/ canAccessIssue issue improper authorization
A vulnerability categorized as critical has been discovered in theonedev onedev up to 15.0.5. This vulnerability affects the function canAccessIssue of the file /issues/ of the component Pull Request Handler. Such manipulation of the argument issue leads to improper authorization.
This vulnerability is referenced as CVE-2026-11441. It is possible to launch the attack remotely. No exploit is available.
It is advisable to upgrade the affected component.
GHSA
A vulnerability was identified in theonedev onedev up to 15.0.5.
ghsa_unreviewed·2026-06-06
CVE-2026-11441 [MEDIUM] CWE-266 A vulnerability was identified in theonedev onedev up to 15.0.5.
A vulnerability was identified in theonedev onedev up to 15.0.5. This vulnerability affects the function canAccessIssue of the file /issues/ of the component Pull Request Handler. Such manipulation of the argument issue leads to improper authorization. It is possible to launch the attack remotely. Upgrading to version 15.0.6 is able to resolve this issue. It is advisable to upgrade the affected component.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-06
Published