PatchSiren cyber security CVE debrief
CVE-2026-11440 theonedev CVE debrief
CVE-2026-11440 is a vulnerability in onedev up to 15.0.5. The vulnerability affects an unknown part of the file /repositories/{projectId}/default-branch of the component REST API. Manipulation of the argument project.defaultBranch causes improper authorization. It is possible to initiate the attack remotely. Upgrading to version 15.0.6 is able to mitigate this issue. Upgrading the affected component is advised.
- Vendor
- theonedev
- Product
- onedev
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-06
- Original CVE updated
- 2026-06-08
- Advisory published
- 2026-06-06
- Advisory updated
- 2026-06-08
Who should care
Users of onedev up to 15.0.5 should be aware of this vulnerability and take steps to mitigate it.
Technical summary
The vulnerability has a CVSS score of 5.3 and a severity of MEDIUM. The CVSS vector is CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X.
Defensive priority
MEDIUM
Recommended defensive actions
- Upgrade to version 15.0.6 or later.
- Review and adjust the configuration of the affected component.
Evidence notes
The vulnerability was determined in onedev up to 15.0.5.
Official resources
CVE-2026-11440 was published on 2026-06-06T18:16:53.243Z and modified on 2026-06-08T14:57:14.757Z.