PatchSiren cyber security CVE debrief
CVE-2026-11438 theonedev CVE debrief
CVE-2026-11438 is a vulnerability found in theonedev onedev up to version 15.0.5. The vulnerability affects an unknown functionality of the file /projects and is caused by improper authorization due to manipulation of the argument project.forkedFromId. This vulnerability can be exploited remotely. Upgrading to version 15.0.6 addresses this issue.
- Vendor
- theonedev
- Product
- onedev
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-06
- Original CVE updated
- 2026-06-08
- Advisory published
- 2026-06-06
- Advisory updated
- 2026-06-08
Who should care
Users of theonedev onedev up to version 15.0.5 should be aware of this vulnerability and take necessary actions to upgrade to version 15.0.6.
Technical summary
The vulnerability has a CVSS score of 5.3 and a severity of MEDIUM. The CVSS vector is CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X.
Defensive priority
MEDIUM
Recommended defensive actions
- Upgrade to version 15.0.6 of theonedev onedev.
Evidence notes
The vulnerability was published on 2026-06-06T17:16:41.713Z and modified on 2026-06-08T14:57:14.757Z.
Official resources
CVE-2026-11438 was published on 2026-06-06T17:16:41.713Z and modified on 2026-06-08T14:57:14.757Z.