CRITICAL🇵🇱 Wersja polska

CVE-2026-34759

CVSS 9.2v4.0pub. 2026-04-02upd. 2026-04-13

OneUptime is an open-source monitoring and observability platform. Prior to version 10.0.42, multiple notification API endpoints are registered without authentication middleware, while sibling endpoints in the same codebase correctly use ClusterKeyAuthorization.isAuthorizedServiceMiddleware. These endpoints are externally reachable via the Nginx proxy at /notification/. Combined with a projectId leak from the public Status Page API, an unauthenticated attacker can purchase phone numbers on the victim's Twilio account and delete all existing alerting numbers. This issue has been patched in version 10.0.42.

CVSS Vector
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Hackerbay Oneuptime

    APP
    Hackerbay
    < 10.0.42
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Auth Bypass
CWE
References

Related vulnerabilities

CVE-2026-34758CRITICAL9.1PL ✓ten sam produkt

OneUptime: nieautoryzowany dostęp do endpointów powiadomień i zarządzania numerami

CVE-2026-35053CRITICAL9.2PL ✓ten sam produkt

Brak uwierzytelnienia w endpointach workflow w OneUptime (RCE)

CVE-2026-33396CRITICAL9.9PL ✓ten sam produkt

RCE w OneUptime — command injection przez Playwright w Synthetic Monitor

CVE-2026-32306CRITICAL9.9PL ✓ten sam produkt

SQL Injection w OneUptime — nieautoryzowany dostęp do bazy i potencjalny RCE

CVE-2026-30921CRITICAL9.9PL ✓ten sam produkt

OneUptime: RCE przez niebezpieczny Playwright sandbox w Synthetic Monitors