Insecure File Access in OneDev Git Server by The OneDev Team
CVE-2026-44647

7.1HIGH

Key Information:

Vendor: Theonedev
Status: Onedev
Vendor: CVE Published:; 14 May 2026

What is CVE-2026-44647?

OneDev, a Git server with integrated CI/CD, kanban, and package management functionalities, was found to have an improper access control vulnerability. This issue occurred in versions prior to 15.0.2, where the boundary between repository-controlled LFS metadata and server-local filesystem paths was compromised. As a result, users with push privileges to any repository could manipulate repository objects to redirect raw blob reads to arbitrary local files, potentially exposing sensitive information accessible by the server account. It is crucial to update to version 15.0.2 or later to mitigate this risk.

Affected Version(s)

onedev < 15.0.2

References

https://github.com/theonedev/onedev/security/advisories/G...

x_refsource_CONFIRM

CVSS V4

Score:

7.1

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 14, 2026
Vulnerability Reserved
May 7, 2026

CVE-2026-44647 Data

JSON

Theonedev

What is CVE-2026-44647?

Affected Version(s)

References

CVSS V4

Timeline