Skip to main content

Oneuptime CVE-2026-34758

| EUVDEUVD-2026-18511 CRITICAL
Missing Authentication for Critical Function (CWE-306)
2026-04-02 GitHub_M
9.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

6
Analysis Updated
Apr 16, 2026 - 05:46 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
10.0.42
EUVD ID Assigned
Apr 02, 2026 - 19:01 euvd
EUVD-2026-18511
Analysis Generated
Apr 02, 2026 - 19:01 vuln.today
CVE Published
Apr 02, 2026 - 18:49 nvd
CRITICAL 9.1

DescriptionGitHub Advisory

OneUptime is an open-source monitoring and observability platform. Prior to version 10.0.42, unauthenticated access to Notification test and Phone Number management endpoints allows SMS/Call/Email/WhatsApp abuse and phone number purchase. This issue has been patched in version 10.0.42.

AnalysisAI

Unauthenticated access to notification and phone management endpoints in OneUptime <10.0.42 allows remote attackers to abuse SMS, voice call, email, and WhatsApp messaging services and purchase phone numbers without authentication. The CVSS 9.1 (Critical) rating reflects network-accessible attack vector with no authentication required (PR:N) and low complexity (AC:L), enabling immediate abuse of platform communication services and potential financial fraud. Vendor-released patch available in version 10.0.42. No public exploit identified at time of analysis, though EPSS risk assessment would likely be elevated given the simplicity of exploitation and clear abuse potential.

Technical ContextAI

OneUptime is a comprehensive open-source monitoring and observability platform designed for infrastructure and application monitoring with integrated notification capabilities. This vulnerability stems from CWE-306 (Missing Authentication for Critical Function), where API endpoints responsible for testing notification channels (SMS, voice calls, email, WhatsApp) and managing phone number resources lack authentication enforcement. The affected CPE (cpe:2.3:a:oneuptime:oneuptime) indicates the core platform application is vulnerable. The CVSS vector indicates these endpoints are exposed over the network (AV:N) with no authentication barrier (PR:N), allowing any remote actor to invoke notification tests or phone number procurement functions. The underlying issue represents a common authentication bypass pattern in API design where administrative or resource-intensive operations are inadvertently exposed without proper access control validation.

RemediationAI

Upgrade immediately to OneUptime version 10.0.42 or later, which contains the authentication enforcement fix. The vendor-released patch is available via the official GitHub release at https://github.com/OneUptime/oneuptime/releases/tag/10.0.42, with the specific security fix implemented in commit 9adbd04538714740506708d6fa610e433be4d2a4 (https://github.com/OneUptime/oneuptime/commit/9adbd04538714740506708d6fa610e433be4d2a4). No workarounds are provided in the advisory; patching is the only effective remediation. Organizations should prioritize this upgrade to prevent unauthorized access to notification endpoints and phone number management functions. After upgrading, review platform logs for any suspicious notification test activity or unauthorized phone number purchases that may have occurred during the vulnerability window. Refer to the GitHub Security Advisory GHSA-q253-6wcm-h8hp for complete vendor guidance.

CVE-2026-27728 CRITICAL POC
9.9 Feb 25

OS command injection in OneUptime monitoring platform before 10.0.7. Authenticated users can execute arbitrary commands

CVE-2026-30957 CRITICAL POC
9.9 Mar 10

OneUptime prior to 10.0.21 has a fourth vulnerability in Synthetic monitoring exposing dangerous functionality.

CVE-2026-27574 CRITICAL POC
9.9 Feb 21

Code injection in OneUptime monitoring via custom JS monitor using vm module. PoC and patch available.

CVE-2026-30887 CRITICAL POC
9.9 Mar 10

OneUptime monitoring platform prior to 10.0.18 allows code injection (CVSS 9.9) enabling RCE through the monitoring conf

CVE-2026-30956 CRITICAL POC
9.9 Mar 10

OneUptime prior to 10.0.21 has a third authorization bypass enabling low-privileged users to access admin functions.

CVE-2026-30921 CRITICAL POC
9.9 Mar 10

OneUptime prior to 10.0.20 exposes dangerous functionality in Synthetic monitoring that enables code execution.

CVE-2025-65966 HIGH POC
8.8 Nov 26

OneUptime is a solution for monitoring and managing online services. Rated high severity (CVSS 8.8), this vulnerability

CVE-2026-30920 HIGH POC
8.6 Mar 10

OneUptime versions prior to 10.0.19 allow unauthenticated attackers to hijack GitHub App integrations across projects by

CVE-2024-29194 HIGH POC
8.3 Mar 24

OneUptime is a solution for monitoring and managing online services. Rated high severity (CVSS 8.3), this vulnerability

CVE-2026-28787 HIGH POC
8.2 Mar 06

OneUptime versions 10.0.11 and earlier contain an improper WebAuthn implementation where server-side challenge validatio

CVE-2026-30958 HIGH POC
7.2 Mar 10

Unauthenticated path traversal in OneUptime versions before 10.0.21 allows remote attackers to read arbitrary files from

CVE-2025-66028 MEDIUM POC
6.9 Nov 26

OneUptime is a solution for monitoring and managing online services. Rated medium severity (CVSS 6.9), this vulnerabilit

Share

CVE-2026-34758 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy