CVE-2026-44647

Vulnerability

CVE-2026-44647 is a path traversal vulnerability in OneDev, a Git server with CI/CD features. The bug resides in how the application resolves Git LFS (Large File Storage) pointers. A specially crafted repository object can trick the server into reading arbitrary local files from the filesystem, instead of only permitted LFS storage paths. This violates the expected boundary between repository-controlled metadata and the server's filesystem.

Exploitation

To exploit this, an attacker needs only push permission to any repository on the OneDev instance. No additional authentication or network position is required. By manipulating LFS pointer metadata in a pushed commit, the attacker can direct the blob read operation to any file path accessible by the server process. The advisory describes a read capability that breaks the separation between repository data and server-local paths [1].

Impact

A successful attack allows an authenticated user with push rights to read any file that the OneDev server process can access. This includes sensitive files such as configuration files, secrets, private keys, or database credentials, depending on the server's environment and permissions. The impact is high because it exposes the underlying server infrastructure to a low-privileged attacker.

Mitigation

The vulnerability is fixed in OneDev version 15.0.2 [1]. Users should upgrade immediately. No workarounds are mentioned. This CVE is not listed on CISA's Known Exploited Vulnerabilities catalog as of the publication date.