A vulnerability was found in theonedev onedev up to 15.0.5 . It has been declared as critical . Affected by this issue is some unknown functionality of the file /projects/ of the component Parent Project Handler . The manipulation of the argument project.parentId results in improper authorization. This vulnerability was named CVE-2026-11439 . The attack may be performed from remote. There is no available exploit. It is recommended to upgrade the affected component.