CVE-2026-11441

Vulnerability

A vulnerability exists in TheOpenDev versions up to 15.0.5 within the canAccessIssue function of the /issues/ component, specifically affecting the Pull Request Handler. Improper authorization occurs due to manipulation of the issue argument, allowing unauthorized access to repository data during project forking.

Exploitation

An attacker with permissions to create projects within a namespace can exploit this by setting the project.forkedFromId property to reference a source project they do not have read access to. The system fails to validate the caller's read authorization for the source project before proceeding with the fork operation, which involves copying repository data, LFS objects, commit metadata, and project avatar information [1].

Impact

Successful exploitation allows an attacker to replicate the contents and metadata of a private repository into a project they fully control. Since newly created projects grant owner-level authorization to the creator, the attacker can subsequently gain read access to the copied repository contents through normal APIs, enabling unauthorized cross-project replication of private repository data [1].

Mitigation

This issue is resolved in TheOpenDev version 15.0.6. It is recommended to upgrade to this version or later. The fix requires explicit source-project visibility and/or code-read authorization before accepting forkedFromId, and adds defensive verification within the fork service implementation [2].