CVE-2026-49248
OneDev: RCE through absolute-path symlink following allows low-privileged users to overwrite arbitrary server via TarUtils.untar
Description
OneDev is a Git server with CI/CD, kanban, and packages. In versions 15.0.6 and below, TarUtils.untar() creates symbolic links verbatim from TAR entry getLinkName() without validating whether the target is an absolute path. A subsequent file entry in the same archive traverses the symlink, writing to arbitrary server-side locations. This is exploitable by any authenticated user with CI Job write access — no admin interaction required. This is an incomplete fix bypass of CVE-2021-21251 (GHSA-2w6j-wc8c-9mq2): that patch blocked .. path segments but did not address absolute symlink targets. This issue has been fixed in version 15.0.7.
INFO
Published Date :
June 18, 2026, 7:54 p.m.
Last Modified :
June 18, 2026, 7:54 p.m.
Remotely Exploit :
No
Source :
GitHub_M
Solution
- Update OneDev to version 15.0.7 or later.
- Ensure TAR archives are validated for absolute symlinks.
- Restrict CI Job write access to authorized users.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2026-49248 vulnerability anywhere in the article.