📄 Description (English)
A vulnerability was found in theonedev onedev up to 15.0.5. Affected by this issue is some unknown functionality of the file /projects/ of the component Parent Project Handler. The manipulation of the argument project.parentId results in improper authorization. The attack may be performed from remote. Upgrading to version 15.0.6 can resolve this issue. It is recommended to upgrade the affected component.
🤖 AI Executive Summary
A remote authorization bypass vulnerability exists in OneDev versions up to 15.0.5 affecting the Parent Project Handler component. An attacker can manipulate the project.parentId parameter to bypass authorization controls and gain unauthorized access to project resources. While no public exploit is available, the vulnerability requires immediate patching as it allows unauthenticated or low-privileged users to escalate access to sensitive project data.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Jun 6, 2026 22:18
🇸🇦 Saudi Arabia Impact Assessment
Saudi organizations using OneDev for project management and source code repositories face significant risk, particularly in government IT departments, financial institutions managing development infrastructure, and telecommunications companies. The vulnerability could allow unauthorized access to sensitive development projects, intellectual property, and configuration data. Government agencies under NCA oversight and SAMA-regulated financial institutions are particularly at risk if OneDev is used for critical infrastructure development or financial system management.
🏢 Affected Saudi Sectors
Government and Public Administration
Banking and Financial Services
Telecommunications
Energy and Utilities
Healthcare
Education and Research
Software Development Companies
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
6.8
/ 10.0
🔧 Remediation Steps (English)
Immediate Actions:
1. Identify all OneDev instances in your environment running versions up to 15.0.5
2. Restrict network access to OneDev servers to authorized users only using firewall rules
3. Review access logs for suspicious project.parentId parameter manipulation attempts
4. Audit all project hierarchy configurations for unauthorized parent-child relationships
Patching Guidance:
1. Upgrade OneDev to version 15.0.6 or later immediately
2. Test the upgrade in a staging environment before production deployment
3. Verify all project permissions are correctly restored after upgrade
Compensating Controls (if immediate patching not possible):
1. Implement Web Application Firewall (WAF) rules to block suspicious project.parentId parameters
2. Enable detailed logging and monitoring of /projects/ endpoint access
3. Restrict API access to OneDev to authenticated users only
4. Implement IP whitelisting for OneDev access
Detection Rules:
1. Monitor for repeated failed authorization attempts on /projects/ endpoint
2. Alert on project.parentId parameter values that don't match existing project hierarchies
3. Track changes to project parent-child relationships outside normal change management
4. Log all access attempts to projects by users without explicit permissions
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تحديد جميع مثيلات OneDev في بيئتك التي تعمل بإصدارات حتى 15.0.5
2. تقييد الوصول إلى شبكة خوادم OneDev للمستخدمين المصرح لهم فقط باستخدام قواعد جدار الحماية
3. مراجعة سجلات الوصول لمحاولات التلاعب بمعامل project.parentId المريبة
4. تدقيق جميع تكوينات التسلسل الهرمي للمشروع للعلاقات الأب والابن غير المصرح بها
إرشادات التصحيح:
1. ترقية OneDev إلى الإصدار 15.0.6 أو أحدث على الفور
2. اختبار الترقية في بيئة التجريب قبل نشر الإنتاج
3. التحقق من استعادة جميع أذونات المشروع بشكل صحيح بعد الترقية
عناصر التحكم التعويضية (إذا لم يكن التصحيح الفوري ممكنًا):
1. تنفيذ قواعد جدار تطبيقات الويب (WAF) لحظر معاملات project.parentId المريبة
2. تفعيل السجلات المفصلة ومراقبة وصول نقطة نهاية /projects/
3. تقييد وصول API إلى OneDev للمستخدمين المصرح لهم فقط
4. تنفيذ القائمة البيضاء للعناوين IP لوصول OneDev
قواعد الكشف:
1. مراقبة محاولات التفويض الفاشلة المتكررة على نقطة نهاية /projects/
2. التنبيه على قيم معامل project.parentId التي لا تطابق التسلسلات الهرمية للمشروع الموجودة
3. تتبع التغييرات على علاقات الأب والابن للمشروع خارج إدارة التغيير العادية
4. تسجيل جميع محاولات الوصول إلى المشاريع من قبل المستخدمين بدون أذونات صريحة
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.9.1.1 - Access Control Policy
ECC 2024 A.9.2.1 - User Registration and De-registration
ECC 2024 A.9.4.3 - Password Management
ECC 2024 A.14.2.1 - Information Security Requirements Analysis and Specification
🔵 SAMA CSF
SAMA CSF ID.AC-1 - Access Control Policy and Procedures
SAMA CSF PR.AC-1 - Identities and Credentials are Managed
SAMA CSF PR.AC-3 - Access Restrictions are Enforced
SAMA CSF DE.CM-1 - The Network is Monitored for Unauthorized Connections
🟡 ISO 27001:2022
ISO 27001:2022 A.5.3 - Segregation of Duties
ISO 27001:2022 A.8.2 - User Access Management
ISO 27001:2022 A.8.3 - User Responsibilities
ISO 27001:2022 A.9.2 - User Access Rights
🔗 References & Sources 6
🔗
🔗
🔗
🔗
🔗
🔗
https://github.com/theonedev/onedev/releases/tag/v15.0.6
cna@vuldb.com
https://vuldb.com/cve/CVE-2026-11439
cna@vuldb.com
https://vuldb.com/submit/822955
cna@vuldb.com
https://vuldb.com/vuln/369019
cna@vuldb.com
https://vuldb.com/vuln/369019/cti
cna@vuldb.com
https://www.cnblogs.com/aibot/p/19994142
cna@vuldb.com