CVE-2026-49248: OneDev: RCE through absolute-path symlink following allows low-privileged users to overwrite arbitrary server via TarUtils.untar
OneDev is a Git server with CI/CD, kanban, and packages. In versions 15.0.6 and below, TarUtils.untar() creates symbolic links verbatim from TAR entry getLinkName() without validating whether the target is an absolute path. A subsequent file entry in the same archive traverses the symlink, writing to arbitrary server-side locations. This is exploitable by any authenticated user with CI Job write access — no admin interaction required. This is an incomplete fix bypass of CVE-2021-21251 (GHSA-2w6j-wc8c-9mq2): that patch blocked .. path segments but did not address absolute symlink targets. This issue has been fixed in version 15.0.7.
Affected Software
Remediation
Recommended actions to resolve this vulnerability, in priority order.
- Upgrade
Upgrade
OneDevto a version that resolves this vulnerability.Fixed in 15.0.7
Event History
Frequently Asked Questions
What is the severity of CVE-2026-49248?
The severity of CVE-2026-49248 is rated at 76, indicating a moderate risk level.
How do I fix CVE-2026-49248?
To fix CVE-2026-49248, upgrade to OneDev version 15.0.7 or later where the vulnerability has been addressed.
Who is affected by CVE-2026-49248?
Low-privileged users on OneDev versions 15.0.6 and below are affected by CVE-2026-49248.
What type of vulnerability is CVE-2026-49248?
CVE-2026-49248 is a remote code execution (RCE) vulnerability due to improper handling of symbolic links.
What can attackers do with CVE-2026-49248?
Attackers can exploit CVE-2026-49248 to overwrite arbitrary server files by leveraging symbolic link vulnerabilities.