CVE-2026-49248
HIGHOneDev <= 15.0.6 - Authenticated Arbitrary File Overwrite via TarUtils.untar
Title source: manualDescription
OneDev is a Git server with CI/CD, kanban, and packages. In versions 15.0.6 and below, TarUtils.untar() creates symbolic links verbatim from TAR entry getLinkName() without validating whether the target is an absolute path. A subsequent file entry in the same archive traverses the symlink, writing to arbitrary server-side locations. This is exploitable by any authenticated user with CI Job write access — no admin interaction required. This is an incomplete fix bypass of CVE-2021-21251 (GHSA-2w6j-wc8c-9mq2): that patch blocked .. path segments but did not address absolute symlink targets. This issue has been fixed in version 15.0.7.
References (2)
Core 2
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/theonedev/onedev/security/advisories/GHSA-55g8-94r5-cj37
X_Refsource_Misc x_refsource_misc
https://github.com/theonedev/onedev/commit/4f8684acebc4bfeefd3c7e23a34a4fd591cb27ad
Scores
CVSS v4
8.3
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N
Details
CWE
CWE-61
Status
published
Products (1)
theonedev/onedev
< 15.0.7
Published
Jun 18, 2026
Tracked Since
Jun 19, 2026