Vulnerabilities ›

CVE-2026-11441

Medium

CWE-266 — Weakness Type

                    Published: Jun 6, 2026                      ·  Modified: Jun 9, 2026                      ·  Source: NVD                

CVSS v3

6.3

🔗 NVD Official

📄 Description (English)

A vulnerability was identified in theonedev onedev up to 15.0.5. This vulnerability affects the function canAccessIssue of the file /issues/ of the component Pull Request Handler. Such manipulation of the argument issue leads to improper authorization. It is possible to launch the attack remotely. Upgrading to version 15.0.6 is able to resolve this issue. It is advisable to upgrade the affected component.

🤖 AI Executive Summary

CVE-2026-11441 is a medium-severity authorization bypass vulnerability in OneDev versions up to 15.0.5 affecting the Pull Request Handler's issue access control. An attacker can manipulate the issue argument to bypass authorization checks and gain unauthorized access to pull requests and issues. While no public exploit is available, the vulnerability is remotely exploitable and poses a risk to organizations using OneDev for source code management and collaboration.

📄 Description (Arabic)

🤖 AI Intelligence Analysis Analyzed: Jun 6, 2026 22:19

🇸🇦 Saudi Arabia Impact Assessment

This vulnerability primarily impacts Saudi government agencies, financial institutions, and large enterprises using OneDev for internal source code management and CI/CD pipelines. High-risk sectors include: (1) ARAMCO and energy sector companies managing critical infrastructure code, (2) Saudi banking institutions (SAMA-regulated) using OneDev for financial systems development, (3) Government entities under NCA oversight managing sensitive projects, (4) Telecommunications companies (STC, Mobily) managing network infrastructure code. The authorization bypass could lead to unauthorized access to proprietary code, intellectual property theft, and potential supply chain attacks.

🏢 Affected Saudi Sectors

Government Banking Energy Telecommunications Healthcare Financial Services Technology/Software Development

🎯 MITRE ATT&CK Techniques

T1078 - Valid Accounts (using manipulated parameters to access unauthorized resources) T1190 - Exploit Public-Facing Application (remote exploitation of OneDev) T1556 - Modify Authentication Process (authorization bypass) T1087 - Account Discovery (enumerating accessible issues/PRs) T1526 - Enumerate External Targets (reconnaissance of project structure)

⚖️ Saudi Risk Score (AI)

6.8

/ 10.0

🔧 Remediation Steps (English)

Immediate Actions:

1. Identify all OneDev instances in your environment running versions up to 15.0.5

2. Restrict network access to OneDev servers to authorized personnel only using firewall rules

3. Enable detailed audit logging for all pull request and issue access attempts

4. Review access logs for suspicious activity patterns indicating unauthorized issue/PR access



Patching Guidance:

1. Upgrade OneDev to version 15.0.6 or later immediately when available

2. If upgrade is not immediately possible, implement compensating controls

3. Test patches in non-production environments before deployment



Compensating Controls (if patch unavailable):

1. Implement network segmentation to restrict OneDev access to VPN/internal networks only

2. Enforce multi-factor authentication (MFA) for all OneDev user accounts

3. Implement IP whitelisting for OneDev API access

4. Disable or restrict pull request and issue API endpoints if not actively used

5. Monitor and alert on unusual access patterns to /issues/ endpoints



Detection Rules:

1. Alert on multiple failed authorization attempts to issue endpoints

2. Monitor for requests with manipulated issue parameters (e.g., issue IDs outside user's project scope)

3. Track access to issues/PRs by users without explicit permissions

4. Log all API calls to /issues/ endpoint with full request parameters

🔧 خطوات المعالجة (العربية)

الإجراءات الفورية:

1. حدد جميع مثيلات OneDev في بيئتك التي تعمل بالإصدارات حتى 15.0.5

2. قيد الوصول إلى شبكة خوادم OneDev للموظفين المصرح لهم فقط باستخدام قواعد جدار الحماية

3. فعّل تسجيل التدقيق التفصيلي لجميع محاولات الوصول إلى طلبات السحب والمشاكل

4. راجع سجلات الوصول للبحث عن أنماط نشاط مريبة تشير إلى وصول غير مصرح به

إرشادات التصحيح:

1. قم بترقية OneDev إلى الإصدار 15.0.6 أو أحدث فوراً عند توفره

2. إذا لم يكن الترقية ممكنة على الفور، قم بتنفيذ ضوابط تعويضية

3. اختبر التصحيحات في بيئات غير الإنتاج قبل النشر

الضوابط التعويضية:

1. قم بتنفيذ تقسيم الشبكة لتقييد وصول OneDev إلى الشبكات الداخلية/VPN فقط

2. فرض المصادقة متعددة العوامل لجميع حسابات مستخدمي OneDev

3. تنفيذ قائمة بيضاء IP لوصول OneDev API

4. تعطيل أو تقييد نقاط نهاية API لطلبات السحب والمشاكل إذا لم تكن قيد الاستخدام

5. مراقبة والتنبيه عن أنماط الوصول غير العادية إلى نقاط نهاية /issues/

قواعد الكشف:

1. التنبيه على محاولات فشل متعددة للتفويض إلى نقاط نهاية المشاكل

2. مراقبة الطلبات ذات معاملات المشاكل المعدلة

3. تتبع الوصول إلى المشاكل/PRs من قبل المستخدمين بدون صلاحيات صريحة

4. تسجيل جميع استدعاءات API إلى نقطة نهاية /issues/ مع معاملات الطلب الكاملة

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

A.9.1.1 - Access control policy (authorization bypass violates access control principles) A.9.2.1 - User registration and access management (improper authorization) A.9.4.3 - Password management (MFA enforcement as compensating control) A.12.4.1 - Event logging (audit trail requirements for access attempts)

🔵 SAMA CSF

AC-2: Account Management (authorization failures) AC-3: Access Enforcement (improper authorization implementation) AU-2: Audit Events (logging of access attempts) SI-4: Information System Monitoring (detection of unauthorized access)

🟡 ISO 27001:2022

A.9.1.1 - Access control policy A.9.2.1 - User registration and access management A.9.2.5 - Access rights review A.9.4.3 - Password management A.12.4.1 - Event logging

🟣 PCI DSS v4.0.1

Requirement 7 - Restrict access to data by business need to know (if payment systems code stored) Requirement 8 - Identify and authenticate access to system components Requirement 10 - Track and monitor all access to network resources

🔗 References & Sources 6

🔗

https://github.com/theonedev/onedev/releases/tag/v15.0.6

cna@vuldb.com

🔗

https://vuldb.com/cve/CVE-2026-11441

cna@vuldb.com

🔗

https://vuldb.com/submit/822957

cna@vuldb.com

🔗

https://vuldb.com/vuln/369021

cna@vuldb.com

🔗

https://vuldb.com/vuln/369021/cti

cna@vuldb.com

🔗

https://www.cnblogs.com/aibot/p/19994142

cna@vuldb.com

📊 CVSS Score

6.3

/ 10.0 — Medium

📊 CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Attack VectorN — None / Network

Attack ComplexityL — Low / Local

Privileges RequiredL — Low / Local

User InteractionN — None / Network

ScopeU — Unchanged

ConfidentialityL — Low / Local

IntegrityL — Low / Local

AvailabilityL — Low / Local

📋 Quick Facts

Severity Medium

CVSS Score6.3

CWECWE-266

EPSS0.04%

Exploit No

Patch ✗ No

Published 2026-06-06

Source Feed nvd

🇸🇦 Saudi Risk Score

6.8

/ 10.0 — Saudi Risk

Priority: HIGH

🏷️ Tags

CWE-266

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

CVE-2026-11441

Introduce Yourself

Sign In Required