PT-2026-41119 · Onedev · Onedev
Forimoc
+3
·
Published
2026-05-14
·
Updated
2026-05-15
·
CVE-2026-44647
CVSS v4.0
7.1
High
| Vector | AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
OneDev versions prior to 15.0.2
Description
OneDev is a Git server featuring CI/CD, kanban, and packages. A flaw exists where the boundary between repository-controlled LFS (Large File Storage) metadata and server-local filesystem paths is breached. This allows a repository object to redirect raw blob reads to arbitrary local files accessible by the server account. Consequently, any user with push permissions to a repository can access any server files that the server process has permission to read.
Recommendations
Update to version 15.0.2.
Fix
Path traversal
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Onedev