CVE-2026-44647
OneDev: Path Traversal (read capability via Git LFS pointer resolution)
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
OneDev is a Git server with CI/CD, kanban, and packages. Prior to 15.0.2, there is behavior that breaks the expected boundary between repository-controlled LFS metadata and server-local filesystem paths. A repository object can steer raw blob reads to arbitrary local files that the server account can access. User with push permission to any repository will be able to access any server files accessible by server process. This vulnerability is fixed in 15.0.2.
| CWE | CWE-22 |
| Vendor | theonedev |
| Product | onedev |
| Published | May 14, 2026 |
Stay Ahead of the Next One
Get instant alerts for theonedev onedev
Be the first to know when new unknown vulnerabilities affecting theonedev onedev are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
theonedev / onedev
< 15.0.2