Main Vulnerability Database Vulnerabilities #VU129792

Improper access control in OneDev - CVE-2021-21246

Published: January 12, 2021 / Updated: May 5, 2026

Vulnerability identifier: #VU129792

CSH Severity: High

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2021-21246

CWE-ID: CWE-284

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
OneDev

Software vendor:
OneDev

Description

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to improper access control in the UserResource /users/{id} endpoint when handling crafted REST API requests. A remote attacker can send a specially crafted request to disclose sensitive information.

Exposed user details include access tokens, which may allow impersonation of the affected user and access to projects available to that account.

Remediation

Install security update from vendor's website.

External links

https://github.com/theonedev/onedev/security/advisories/GHSA-66v7-gg85-f4gx

Improper access control in OneDev - CVE-2021-21246

Description

Remediation

External links

Please verify you're human