Improper access control in OneDev - CVE-2021-21246

 

Improper access control in OneDev - CVE-2021-21246

Published: January 12, 2021 / Updated: May 5, 2026


Vulnerability identifier: #VU129792
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2021-21246
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: OneDev
Affected software:
OneDev

Detailed vulnerability description

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to improper access control in the UserResource /users/{id} endpoint when handling crafted REST API requests. A remote attacker can send a specially crafted request to disclose sensitive information.

Exposed user details include access tokens, which may allow impersonation of the affected user and access to projects available to that account.


How to mitigate CVE-2021-21246

Install security update from vendor's website.

Sources