Skip to content

Absolute-path symlink following in TarUtils.untar allows low-privileged users to overwrite arbitrary server files leading to RCE

High
robinshine published GHSA-55g8-94r5-cj37 May 24, 2026

Package

OneDev server

Affected versions

<=15.0.6

Patched versions

15.0.7

Description

TarUtils.untar() creates symbolic links verbatim from TAR entry getLinkName() without validating whether the target is an absolute path. A subsequent file entry in the same archive traverses the symlink, writing to arbitrary server-side locations. Exploitable by any authenticated user with CI Job write access — no admin interaction required.

This is an incomplete fix bypass of CVE-2021-21251 (GHSA-2w6j-wc8c-9mq2): that patch blocked .. path segments but did not address absolute symlink targets.

This issue is analyzed and reported by "Sehwang Kim of AhnLab"

Severity

High

CVE ID

CVE-2026-49248

Weaknesses

No CWEs

Credits