A critical security vulnerability was found in OneDev relating to git LFS. Any user with permission to push to a repository was able to read arbitrary file on OneDev server via crafted LFS oid. This issue has been fixed in 15.0.2. Please upgrade your installation as soon as possible.