📄 الوصف (الإنجليزية)
A vulnerability was identified in theonedev onedev up to 15.0.5. This vulnerability affects the function canAccessIssue of the file /issues/ of the component Pull Request Handler. Such manipulation of the argument issue leads to improper authorization. It is possible to launch the attack remotely. Upgrading to version 15.0.6 is able to resolve this issue. It is advisable to upgrade the affected component.
🤖 ملخص AI
CVE-2026-11441 is a medium-severity authorization bypass vulnerability in OneDev versions up to 15.0.5 affecting the Pull Request Handler's issue access control. An attacker can manipulate the issue argument to bypass authorization checks and gain unauthorized access to pull requests and issues. While no public exploit is available, the vulnerability is remotely exploitable and poses a risk to organizations using OneDev for source code management and collaboration.
📄 الوصف (العربية)
🤖 التحليل الذكي آخر تحليل: Jun 6, 2026 22:19
🇸🇦 التأثير على المملكة العربية السعودية
This vulnerability primarily impacts Saudi government agencies, financial institutions, and large enterprises using OneDev for internal source code management and CI/CD pipelines. High-risk sectors include: (1) ARAMCO and energy sector companies managing critical infrastructure code, (2) Saudi banking institutions (SAMA-regulated) using OneDev for financial systems development, (3) Government entities under NCA oversight managing sensitive projects, (4) Telecommunications companies (STC, Mobily) managing network infrastructure code. The authorization bypass could lead to unauthorized access to proprietary code, intellectual property theft, and potential supply chain attacks.
🏢 القطاعات السعودية المتأثرة
Government
Banking
Energy
Telecommunications
Healthcare
Financial Services
Technology/Software Development
🎯 تقنيات MITRE ATT&CK
T1078 - Valid Accounts (using manipulated parameters to access unauthorized resources)
T1190 - Exploit Public-Facing Application (remote exploitation of OneDev)
T1556 - Modify Authentication Process (authorization bypass)
T1087 - Account Discovery (enumerating accessible issues/PRs)
T1526 - Enumerate External Targets (reconnaissance of project structure)
⚖️ درجة المخاطر السعودية (AI)
6.8
/ 10.0
🔧 Remediation Steps (English)
Immediate Actions:
1. Identify all OneDev instances in your environment running versions up to 15.0.5
2. Restrict network access to OneDev servers to authorized personnel only using firewall rules
3. Enable detailed audit logging for all pull request and issue access attempts
4. Review access logs for suspicious activity patterns indicating unauthorized issue/PR access
Patching Guidance:
1. Upgrade OneDev to version 15.0.6 or later immediately when available
2. If upgrade is not immediately possible, implement compensating controls
3. Test patches in non-production environments before deployment
Compensating Controls (if patch unavailable):
1. Implement network segmentation to restrict OneDev access to VPN/internal networks only
2. Enforce multi-factor authentication (MFA) for all OneDev user accounts
3. Implement IP whitelisting for OneDev API access
4. Disable or restrict pull request and issue API endpoints if not actively used
5. Monitor and alert on unusual access patterns to /issues/ endpoints
Detection Rules:
1. Alert on multiple failed authorization attempts to issue endpoints
2. Monitor for requests with manipulated issue parameters (e.g., issue IDs outside user's project scope)
3. Track access to issues/PRs by users without explicit permissions
4. Log all API calls to /issues/ endpoint with full request parameters
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. حدد جميع مثيلات OneDev في بيئتك التي تعمل بالإصدارات حتى 15.0.5
2. قيد الوصول إلى شبكة خوادم OneDev للموظفين المصرح لهم فقط باستخدام قواعد جدار الحماية
3. فعّل تسجيل التدقيق التفصيلي لجميع محاولات الوصول إلى طلبات السحب والمشاكل
4. راجع سجلات الوصول للبحث عن أنماط نشاط مريبة تشير إلى وصول غير مصرح به
إرشادات التصحيح:
1. قم بترقية OneDev إلى الإصدار 15.0.6 أو أحدث فوراً عند توفره
2. إذا لم يكن الترقية ممكنة على الفور، قم بتنفيذ ضوابط تعويضية
3. اختبر التصحيحات في بيئات غير الإنتاج قبل النشر
الضوابط التعويضية:
1. قم بتنفيذ تقسيم الشبكة لتقييد وصول OneDev إلى الشبكات الداخلية/VPN فقط
2. فرض المصادقة متعددة العوامل لجميع حسابات مستخدمي OneDev
3. تنفيذ قائمة بيضاء IP لوصول OneDev API
4. تعطيل أو تقييد نقاط نهاية API لطلبات السحب والمشاكل إذا لم تكن قيد الاستخدام
5. مراقبة والتنبيه عن أنماط الوصول غير العادية إلى نقاط نهاية /issues/
قواعد الكشف:
1. التنبيه على محاولات فشل متعددة للتفويض إلى نقاط نهاية المشاكل
2. مراقبة الطلبات ذات معاملات المشاكل المعدلة
3. تتبع الوصول إلى المشاكل/PRs من قبل المستخدمين بدون صلاحيات صريحة
4. تسجيل جميع استدعاءات API إلى نقطة نهاية /issues/ مع معاملات الطلب الكاملة
📋 خريطة الامتثال التنظيمي
🟢 NCA ECC 2024
A.9.1.1 - Access control policy (authorization bypass violates access control principles)
A.9.2.1 - User registration and access management (improper authorization)
A.9.4.3 - Password management (MFA enforcement as compensating control)
A.12.4.1 - Event logging (audit trail requirements for access attempts)
🔵 SAMA CSF
AC-2: Account Management (authorization failures)
AC-3: Access Enforcement (improper authorization implementation)
AU-2: Audit Events (logging of access attempts)
SI-4: Information System Monitoring (detection of unauthorized access)
🟡 ISO 27001:2022
A.9.1.1 - Access control policy
A.9.2.1 - User registration and access management
A.9.2.5 - Access rights review
A.9.4.3 - Password management
A.12.4.1 - Event logging
🟣 PCI DSS v4.0.1
Requirement 7 - Restrict access to data by business need to know (if payment systems code stored)
Requirement 8 - Identify and authenticate access to system components
Requirement 10 - Track and monitor all access to network resources
🔗 المراجع والمصادر 6
🔗
🔗
🔗
🔗
🔗
🔗
https://github.com/theonedev/onedev/releases/tag/v15.0.6
cna@vuldb.com
https://vuldb.com/cve/CVE-2026-11441
cna@vuldb.com
https://vuldb.com/submit/822957
cna@vuldb.com
https://vuldb.com/vuln/369021
cna@vuldb.com
https://vuldb.com/vuln/369021/cti
cna@vuldb.com
https://www.cnblogs.com/aibot/p/19994142
cna@vuldb.com