Is Nginx affected by CVE-2026-34759?

CVE-2026-34759 is a critical authentication bypass in OneUptime's notification API that allows unauthenticated attackers to manipulate connected Twilio accounts, including purchasing phone numbers and deleting alert configurations.

CVE-2026-34759

EUVD-2026-18513 CRITICAL

2026-04-02 GitHub_M

9.2

CVSS 4.0

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

Apr 02, 2026 - 19:01 vuln.today

EUVD ID Assigned

Apr 02, 2026 - 19:01 euvd

EUVD-2026-18513

CVE Published

Apr 02, 2026 - 18:50 nvd

CRITICAL 9.2

Description

OneUptime is an open-source monitoring and observability platform. Prior to version 10.0.42, multiple notification API endpoints are registered without authentication middleware, while sibling endpoints in the same codebase correctly use ClusterKeyAuthorization.isAuthorizedServiceMiddleware. These endpoints are externally reachable via the Nginx proxy at /notification/. Combined with a projectId leak from the public Status Page API, an unauthenticated attacker can purchase phone numbers on the victim's Twilio account and delete all existing alerting numbers. This issue has been patched in version 10.0.42.

Analysis

Authentication bypass in OneUptime notification API endpoints allows unauthenticated remote attackers to manipulate Twilio account resources via missing authorization middleware. Affects all versions prior to 10.0.42. …

Remediation

Within 24 hours: Identify all OneUptime deployments and document connected Twilio account credentials; immediately restrict network access to OneUptime notification API endpoints (/notification/*) using firewall or API gateway rules to block external traffic. Within 7 days: Contact OneUptime support for interim patch status and detailed impact assessment; implement IP-based access controls or VPN requirement for all OneUptime administrative access. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.1

CVSS: +46

POC: 0

CVE-2026-34759 vulnerability details – vuln.today

Back

CVE-2026-34759

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Analysis

Full analysis requires sign-in

Priority Score

Share

CVE-2026-34759

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Full analysis requires sign-in

Priority Score

Share

External POC / Exploit Code