CVE-2026-11439: theonedev Parent Project projects improper authorization

Q: What is the severity of CVE-2026-11439?

The severity of CVE-2026-11439 is medium with a score of 6.3.

Q: How do I fix CVE-2026-11439?

To fix CVE-2026-11439, update OneDev to version 15.0.6 or later.

Q: What type of vulnerability is CVE-2026-11439?

CVE-2026-11439 is an improper authorization vulnerability in OneDev.

Q: Which component is affected by CVE-2026-11439?

CVE-2026-11439 affects the Parent Project Handler component of the OneDev software.

Q: Can CVE-2026-11439 be exploited remotely?

Yes, the attack for CVE-2026-11439 can be performed remotely.

Published Jun 6, 2026

Updated

A vulnerability was found in theonedev onedev up to 15.0.5. Affected by this issue is some unknown functionality of the file /projects/ of the component Parent Project Handler. The manipulation of the argument project.parentId results in improper authorization. The attack may be performed from remote. Upgrading to version 15.0.6 can resolve this issue. It is recommended to upgrade the affected component.

Affected Software

1 affected component

theonedev OneDev<=15.0.5

Remediation

Recommended actions to resolve this vulnerability, in priority order.

Upgrade
Upgrade theonedev/onedev to a version that resolves this vulnerability.
Fixed in 15.0.6

Event History

Jun 6, 2026

CVE Published

via MITRE·05:15 PM

Data Sourced

via MITRE·05:15 PM

DescriptionSeverityWeakness

Data Sourced

via NVD·06:16 PM

DescriptionSeverityWeakness

Frequently Asked Questions

What is the severity of CVE-2026-11439?

The severity of CVE-2026-11439 is medium with a score of 6.3.

How do I fix CVE-2026-11439?

To fix CVE-2026-11439, update OneDev to version 15.0.6 or later.

What type of vulnerability is CVE-2026-11439?

CVE-2026-11439 is an improper authorization vulnerability in OneDev.

Which component is affected by CVE-2026-11439?