📄 Description (English)
A vulnerability has been found in theonedev onedev up to 15.0.5. Affected by this vulnerability is an unknown functionality of the file /projects. The manipulation of the argument project.forkedFromId leads to improper authorization. The attack is possible to be carried out remotely. Upgrading to version 15.0.6 addresses this issue. Upgrading the affected component is recommended.
🤖 AI Executive Summary
CVE-2026-11438 is a medium-severity authorization bypass vulnerability in OneDev versions up to 15.0.5 affecting the /projects endpoint. An attacker can manipulate the project.forkedFromId parameter to bypass authorization controls and gain unauthorized access to project resources. While no public exploit is available, the vulnerability requires immediate patching as it enables remote unauthorized access without authentication.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Jun 6, 2026 20:54
🇸🇦 Saudi Arabia Impact Assessment
This vulnerability poses significant risk to Saudi organizations using OneDev for source code management and project collaboration, particularly in: Government agencies (NCA, NCSC) managing sensitive development projects; Banking sector (SAMA-regulated institutions) using OneDev for internal development; Telecommunications companies (STC, Mobily) managing infrastructure code; Energy sector (ARAMCO, SEC) handling critical system development. The authorization bypass could expose proprietary code, intellectual property, and sensitive project configurations to unauthorized internal or external actors.
🏢 Affected Saudi Sectors
Government
Banking
Telecommunications
Energy
Healthcare
Software Development
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
6.8
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Identify all OneDev instances in your environment running versions up to 15.0.5
2. Restrict network access to OneDev /projects endpoint using firewall rules or WAF policies
3. Implement IP whitelisting for OneDev access
4. Review audit logs for suspicious project.forkedFromId parameter manipulation attempts
5. Monitor for unauthorized project access or fork creation activities
PATCHING:
1. Upgrade OneDev to version 15.0.6 or later immediately upon release
2. Test patches in non-production environment first
3. Plan maintenance window for production deployment
COMPENSATING CONTROLS (until patch available):
1. Implement reverse proxy authentication layer requiring additional MFA
2. Deploy WAF rules to block requests with suspicious project.forkedFromId values
3. Restrict project fork functionality at application level if possible
4. Implement strict RBAC policies limiting project access
DETECTION:
1. Monitor HTTP POST/GET requests to /projects endpoint with forkedFromId parameters
2. Alert on project fork creation by unauthorized users
3. Track access to projects by users without explicit permissions
4. Log all project.forkedFromId parameter values for forensic analysis
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تحديد جميع مثيلات OneDev في بيئتك التي تعمل بالإصدارات حتى 15.0.5
2. تقييد الوصول إلى نقطة نهاية /projects باستخدام قواعد جدار الحماية أو سياسات WAF
3. تطبيق قائمة بيضاء للعناوين IP للوصول إلى OneDev
4. مراجعة سجلات التدقيق للكشف عن محاولات التلاعب بمعامل project.forkedFromId المريبة
5. مراقبة أنشطة الوصول غير المصرح به للمشروع أو إنشاء النسخ
التصحيح:
1. ترقية OneDev إلى الإصدار 15.0.6 أو أحدث فورًا عند إصداره
2. اختبار التصحيحات في بيئة غير الإنتاج أولاً
3. تخطيط نافذة الصيانة لنشر الإنتاج
عناصر التحكم التعويضية:
1. تطبيق طبقة مصادقة وكيل عكسي تتطلب MFA إضافي
2. نشر قواعد WAF لحظر الطلبات ذات قيم project.forkedFromId المريبة
3. تقييد وظيفة نسخ المشروع على مستوى التطبيق إن أمكن
4. تطبيق سياسات RBAC صارمة تحد من الوصول إلى المشروع
الكشف:
1. مراقبة طلبات HTTP POST/GET إلى نقطة نهاية /projects بمعاملات forkedFromId
2. التنبيه عند إنشاء نسخة مشروع من قبل مستخدمين غير مصرح لهم
3. تتبع الوصول إلى المشاريع من قبل المستخدمين بدون أذونات صريحة
4. تسجيل جميع قيم معامل project.forkedFromId للتحليل الجنائي
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.9.1.1 - Access control policy and procedures
ECC 2024 A.9.2.1 - User registration and access rights management
ECC 2024 A.9.4.3 - Password management system
ECC 2024 A.14.2.1 - Secure development policy
🔵 SAMA CSF
SAMA CSF ID.AC-1 - Access Control Policy
SAMA CSF PR.AC-1 - Identities and credentials are managed
SAMA CSF PR.AC-3 - Access is managed based on the principle of least privilege
SAMA CSF DE.CM-1 - The network is monitored to detect potential cybersecurity events
🟡 ISO 27001:2022
ISO 27001:2022 A.5.3 - Segregation of duties
ISO 27001:2022 A.8.2 - User access management
ISO 27001:2022 A.8.3 - User responsibilities
ISO 27001:2022 A.9.2 - User access provisioning
🔗 References & Sources 6
🔗
🔗
🔗
🔗
🔗
🔗
https://github.com/theonedev/onedev/releases/tag/v15.0.6
cna@vuldb.com
https://vuldb.com/cve/CVE-2026-11438
cna@vuldb.com
https://vuldb.com/submit/822944
cna@vuldb.com
https://vuldb.com/vuln/369018
cna@vuldb.com
https://vuldb.com/vuln/369018/cti
cna@vuldb.com
https://www.cnblogs.com/aibot/p/19994142
cna@vuldb.com