CVE-2026-44647 HIGH

CVE-2026-44647: OneDev: Path Traversal (read capability via Git LFS pointer resolution)

Vendor Theonedev
Product onedev
Weakness CWE-22 · Path traversal
Published May 14, 2026
Last update May 16, 2026

CVSS base score

7.1/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

OneDev is a Git server with CI/CD, kanban, and packages. Prior to 15.0.2, there is behavior that breaks the expected boundary between repository-controlled LFS metadata and server-local filesystem paths. A repository object can steer raw blob reads to arbitrary local files that the server account can access. User with push permission to any repository will be able to access any server files accessible by server process. This vulnerability is fixed in 15.0.2.

Key dates

02Disclosure timeline

May 14, 2026 CVE published
May 16, 2026 Record updated