Github
CVE-2026-30920
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L
Lifecycle Timeline
4Blast Radius
ecosystem impact- 1 npm packages depend on @oneuptime/common (1 direct, 0 indirect)
Ecosystem-wide dependent count for version 10.0.19.
DescriptionGitHub Advisory
OneUptime is a solution for monitoring and managing online services. Prior to 10.0.19, OneUptime's GitHub App callback trusts attacker-controlled state and installation_id values and updates Project.gitHubAppInstallationId with isRoot: true without validating that the caller is authorized for the target project. This allows an attacker to overwrite another project's GitHub App installation binding. Related GitHub endpoints also lack effective authorization, so a valid installation ID can be used to enumerate repositories and create CodeRepository records in an arbitrary project. This vulnerability is fixed in 10.0.19.
AnalysisAI
OneUptime versions prior to 10.0.19 allow unauthenticated attackers to hijack GitHub App integrations across projects by exploiting insufficient validation in the OAuth callback handler, enabling them to redirect repository access and create code records in arbitrary projects. Public exploit code exists for this vulnerability, and GitHub and OneUptime users remain at risk until patches are applied, as no fixes are currently available for the affected GitHub integration.
Technical ContextAI
This vulnerability (CWE-345: Insufficient Verification of Data Authenticity) affects Oneuptime. OneUptime is a solution for monitoring and managing online services. Prior to 10.0.19, OneUptime's GitHub App callback trusts attacker-controlled state and installation_id values and updates Project.gitHubAppInstallationId with isRoot: true without validating that the caller is authorized for the target project. This allows an attacker to overwrite another project's GitHub App installation binding. Related GitHub endpoints also lack effective authorization, so a valid installation ID can be used
RemediationAI
Fixed in version 10.0.19.. Restrict network access to the affected service where possible.
Supply chain vulnerability in Eclipse Theia GitHub Actions workflow. The preview.yml workflow uses pull_request_target w
Supply chain attack vector in OpenLIT GitHub Actions workflows. The pull_request_target trigger with checkout enables ma
Eigent multi-agent workflow CI pipeline (ci.yml) uses pull_request_target with checkout of untrusted PR code, enabling a
Unauthenticated infrastructure overwrite in Hoppscotch API development ecosystem before 2026.2.0. Attackers can overwrit
A exposure of sensitive information vulnerability exists in Jenkins GitHub Plugin 1.29.1 and earlier in GitHubTokenCrede
PolarLearn versions 0-PRERELEASE-15 and earlier lack proper state parameter validation in OAuth 2.0 authentication, enab
Path traversal in esm.sh CDN prior to version 0.0.0-20260116051925-c62ab83c589e allows unauthenticated remote attackers
Signal K Server is a server application that runs on a central hub in a boat. Versions prior to 2.19.0 of the appstore i
Authenticated users in OpenEMR through version 8.0.0 can access and modify eye exam records belonging to other patients
Path traversal in pnpm's tarball extraction on Windows allows attackers to write files outside the intended package dire
Reflected XSS in Repostat's RepoCard React component prior to version 1.0.1 allows attackers to execute arbitrary JavaSc
A security vulnerability in WilderForge (CVSS 9.9). Critical severity with potential for significant impact on affected
Share
External POC / Exploit Code
Leaving vuln.today
GHSA-656w-6f6c-m9r6