CVE-2026-49248
HighCVSS 8.3Exploitation Probability (EPSS)
Low risk30th percentile - higher than 30% of all known CVEs
Summary
In versions 15.0.6 and below, the TarUtils.untar() function in OneDev creates symbolic links without validating whether the target is an absolute path. This allows writing to arbitrary server-side locations by authenticated users with CI Job write access.
Risk Assessment
The organization is exposed to unauthorized access to the file system, which may lead to data loss or server compromise. Any authenticated user with the appropriate permissions can exploit this vulnerability.
Recommendation
It is recommended to upgrade to version 15.0.7, which fixes this vulnerability. Additionally, review user permissions for CI Job access to minimize risk.
Original NVD description (English source)
OneDev is a Git server with CI/CD, kanban, and packages. In versions 15.0.6 and below, TarUtils.untar() creates symbolic links verbatim from TAR entry getLinkName() without validating whether the target is an absolute path. A subsequent file entry in the same archive traverses the symlink, writing to arbitrary server-side locations. This is exploitable by any authenticated user with CI Job write access — no admin interaction required. This is an incomplete fix bypass of CVE-2021-21251 (GHSA-2w6j-wc8c-9mq2): that patch blocked .. path segments but did not address absolute symlink targets. This issue has been fixed in version 15.0.7.

