CVE-2026-44647: OneDev: Path Traversal (read capability via Git LFS pointer resolution)

Q: What is the severity of CVE-2026-44647?

The severity of CVE-2026-44647 is classified as high with a score of 7.1.

Q: How do I fix CVE-2026-44647?

To fix CVE-2026-44647, update OneDev to version 15.0.2 or later.

Q: What kind of vulnerability is CVE-2026-44647?

CVE-2026-44647 is a path traversal vulnerability affecting OneDev.

Q: What can an attacker do with CVE-2026-44647?

An attacker can exploit CVE-2026-44647 to read arbitrary local files on the server.

Q: Which software is affected by CVE-2026-44647?

CVE-2026-44647 affects OneDev versions prior to 15.0.2.

Published May 14, 2026

Updated

OneDev is a Git server with CI/CD, kanban, and packages. Prior to 15.0.2, there is behavior that breaks the expected boundary between repository-controlled LFS metadata and server-local filesystem paths. A repository object can steer raw blob reads to arbitrary local files that the server account can access. User with push permission to any repository will be able to access any server files accessible by server process. This vulnerability is fixed in 15.0.2.

Affected Software

1 affected component

OneDev OneDev<15.0.2

Event History

May 14, 2026

CVE Published

via MITRE·08:08 PM

Data Sourced

via MITRE·08:08 PM

DescriptionWeakness

Data Sourced

via NVD·09:16 PM

DescriptionSeverityWeakness

Frequently Asked Questions

What is the severity of CVE-2026-44647?

The severity of CVE-2026-44647 is classified as high with a score of 7.1.

How do I fix CVE-2026-44647?

To fix CVE-2026-44647, update OneDev to version 15.0.2 or later.

What kind of vulnerability is CVE-2026-44647?

CVE-2026-44647 is a path traversal vulnerability affecting OneDev.

What can an attacker do with CVE-2026-44647?

An attacker can exploit CVE-2026-44647 to read arbitrary local files on the server.

Which software is affected by CVE-2026-44647?