CVE-2026-11438

Vulnerability

A vulnerability exists in onedev up to version 15.0.5, specifically within the file /projects that handles project creation. The manipulation of the project.forkedFromId argument allows for improper authorization, enabling unauthorized access to source projects [1]. The affected workflow does not adequately check if the caller has read permissions for the source project referenced by forkedFromId before proceeding with the fork operation [1].

Exploitation

An attacker who is permitted to create projects within a namespace can exploit this vulnerability. They can initiate a project fork by providing a project.forkedFromId that points to a private source project they should not have access to. The system then proceeds to mirror repository data, LFS objects, commit metadata, and the project avatar from the source project into the attacker-controlled target project without enforcing source-project read authorization [1].

Impact

Successful exploitation allows an attacker to replicate the contents and related metadata of a private repository into a project they fully control, even if they lack the necessary read permissions for the original repository. Since newly created projects grant Owner-level authorization to the creator, the attacker can subsequently grant themselves read access to the copied repository contents through normal repository APIs, potentially leading to unauthorized cross-project replication of sensitive data [1].

Mitigation

Version 15.0.6 of onedev addresses this issue [2]. Upgrading to this version or a later one is recommended. The suggested remediation involves requiring explicit source-project visibility and/or code-read authorization before accepting forkedFromId, and adding defensive verification within the fork service implementation [1].