Skip to main content

Oneuptime CVE-2024-29194

HIGH
Authorization Bypass Through User-Controlled Key (CWE-639)
2024-03-24 security-advisories@github.com
8.3
CVSS 3.1 · Vendor: github
Share

Severity by source

Vendor (github) PRIMARY
8.3 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

Primary rating from Vendor (github) · only source for this CVE.

CVSS VectorVendor: github

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
Low

Lifecycle Timeline

1
CVE Published
Mar 24, 2024 - 19:15 cve.org
HIGH 8.3

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 2 npm packages depend on @oneuptime/model (2 direct, 0 indirect)

Ecosystem-wide dependent count for version 7.0.1815.

DescriptionCVE.org

OneUptime is a solution for monitoring and managing online services. The vulnerability lies in the improper validation of client-side stored data within the web application. Specifically, the is_master_admin key, stored in the local storage of the browser, can be manipulated by an attacker. By changing this key from false to true, the application grants administrative privileges to the user, without proper server-side validation. This has been patched in 7.0.1815.

AnalysisAI

OneUptime is a solution for monitoring and managing online services. Rated high severity (CVSS 8.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Technical ContextAI

This vulnerability is classified under CWE-639. OneUptime is a solution for monitoring and managing online services. The vulnerability lies in the improper validation of client-side stored data within the web application. Specifically, the is_master_admin key, stored in the local storage of the browser, can be manipulated by an attacker. By changing this key from false to true, the application grants administrative privileges to the user, without proper server-side validation. This has been patched in 7.0.1815. Affected products include: Hackerbay Oneuptime.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

CVE-2026-27728 CRITICAL POC
9.9 Feb 25

OS command injection in OneUptime monitoring platform before 10.0.7. Authenticated users can execute arbitrary commands

CVE-2026-30957 CRITICAL POC
9.9 Mar 10

OneUptime prior to 10.0.21 has a fourth vulnerability in Synthetic monitoring exposing dangerous functionality.

CVE-2026-27574 CRITICAL POC
9.9 Feb 21

Code injection in OneUptime monitoring via custom JS monitor using vm module. PoC and patch available.

CVE-2026-30887 CRITICAL POC
9.9 Mar 10

OneUptime monitoring platform prior to 10.0.18 allows code injection (CVSS 9.9) enabling RCE through the monitoring conf

CVE-2026-30956 CRITICAL POC
9.9 Mar 10

OneUptime prior to 10.0.21 has a third authorization bypass enabling low-privileged users to access admin functions.

CVE-2026-30921 CRITICAL POC
9.9 Mar 10

OneUptime prior to 10.0.20 exposes dangerous functionality in Synthetic monitoring that enables code execution.

CVE-2025-65966 HIGH POC
8.8 Nov 26

OneUptime is a solution for monitoring and managing online services. Rated high severity (CVSS 8.8), this vulnerability

CVE-2026-30920 HIGH POC
8.6 Mar 10

OneUptime versions prior to 10.0.19 allow unauthenticated attackers to hijack GitHub App integrations across projects by

CVE-2026-28787 HIGH POC
8.2 Mar 06

OneUptime versions 10.0.11 and earlier contain an improper WebAuthn implementation where server-side challenge validatio

CVE-2026-30958 HIGH POC
7.2 Mar 10

Unauthenticated path traversal in OneUptime versions before 10.0.21 allows remote attackers to read arbitrary files from

CVE-2025-66028 MEDIUM POC
6.9 Nov 26

OneUptime is a solution for monitoring and managing online services. Rated medium severity (CVSS 6.9), this vulnerabilit

CVE-2026-32306 CRITICAL
9.9 Mar 13

SQL injection in OneUptime telemetry API before 10.0.23.

Share

CVE-2024-29194 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy