CVE-2026-11438: theonedev projects improper authorization

Q: What is the severity of CVE-2026-11438?

CVE-2026-11438 has a severity rating of medium with a score of 6.3.

Q: How do I fix CVE-2026-11438?

To fix CVE-2026-11438, you should upgrade to OneDev version 15.0.6 or later.

Q: What impact does CVE-2026-11438 have?

CVE-2026-11438 can lead to improper authorization, allowing unauthorized access to project functionalities.

Q: Can CVE-2026-11438 be exploited remotely?

Yes, CVE-2026-11438 can be exploited remotely, making it a critical concern for affected systems.

Q: What affected software does CVE-2026-11438 involve?

CVE-2026-11438 affects OneDev versions up to 15.0.5.

Published Jun 6, 2026

Updated

A vulnerability has been found in theonedev onedev up to 15.0.5. Affected by this vulnerability is an unknown functionality of the file /projects. The manipulation of the argument project.forkedFromId leads to improper authorization. The attack is possible to be carried out remotely. Upgrading to version 15.0.6 addresses this issue. Upgrading the affected component is recommended.

Affected Software

1 affected component

theonedev OneDev<=15.0.5

Remediation

Recommended actions to resolve this vulnerability, in priority order.

Upgrade
Upgrade theonedev onedev to a version that resolves this vulnerability.
Fixed in 15.0.6

Event History

Jun 6, 2026

CVE Published

via MITRE·05:00 PM

Data Sourced

via MITRE·05:00 PM

DescriptionSeverityWeakness

Data Sourced

via NVD·05:16 PM

DescriptionSeverityWeakness

Frequently Asked Questions

What is the severity of CVE-2026-11438?

CVE-2026-11438 has a severity rating of medium with a score of 6.3.

How do I fix CVE-2026-11438?

To fix CVE-2026-11438, you should upgrade to OneDev version 15.0.6 or later.

What impact does CVE-2026-11438 have?

CVE-2026-11438 can lead to improper authorization, allowing unauthorized access to project functionalities.

Can CVE-2026-11438 be exploited remotely?