Severity by source
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionGitHub Advisory
OneUptime is an open-source monitoring and observability platform. Prior to version 10.0.42, multiple notification API endpoints are registered without authentication middleware, while sibling endpoints in the same codebase correctly use ClusterKeyAuthorization.isAuthorizedServiceMiddleware. These endpoints are externally reachable via the Nginx proxy at /notification/. Combined with a projectId leak from the public Status Page API, an unauthenticated attacker can purchase phone numbers on the victim's Twilio account and delete all existing alerting numbers. This issue has been patched in version 10.0.42.
AnalysisAI
Authentication bypass in OneUptime notification API endpoints allows unauthenticated remote attackers to manipulate Twilio account resources via missing authorization middleware. Affects all versions prior to 10.0.42. Attackers can purchase phone numbers on victim Twilio accounts and delete configured alerting numbers by exploiting unprotected /notification/ endpoints, using leaked projectId values from public Status Page APIs. No public exploit identified at time of analysis, though attack complexity is rated high (CVSS AC:H) and proof-of-concept details are available in the GitHub security advisory.
Technical ContextAI
OneUptime (cpe:2.3:a:oneuptime:oneuptime) is an open-source monitoring platform that uses Twilio for SMS/voice alerting. The vulnerability stems from CWE-862 (Missing Authorization) where notification API endpoints at /notification/* are exposed through Nginx reverse proxy without implementing ClusterKeyAuthorization.isAuthorizedServiceMiddleware, despite this middleware being correctly applied to sibling endpoints in the same codebase. The architecture flaw creates an inconsistent security boundary: while most API routes require cluster-level authentication tokens, the notification subsystem endpoints are reachable without any credential validation. The attack chain requires combining this missing authorization with a separate information disclosure issue-projectId values that should be internal are exposed through the public-facing Status Page API. These projectIds serve as the only required parameter to invoke privileged Twilio operations (purchasing numbers, deleting configurations) through the unprotected endpoints. The Nginx proxy configuration routes external traffic directly to these handlers without enforcing authentication at the gateway level.
RemediationAI
Upgrade immediately to OneUptime version 10.0.42 or later, which implements proper ClusterKeyAuthorization middleware across all notification API endpoints per commit 9adbd04538714740506708d6fa610e433be4d2a4 available at https://github.com/OneUptime/oneuptime/commit/9adbd04538714740506708d6fa610e433be4d2a4. Release details are documented at https://github.com/OneUptime/oneuptime/releases/tag/10.0.42. Organizations unable to immediately upgrade should implement network-level access controls restricting /notification/* endpoints to trusted internal IP ranges via Nginx configuration, though this is only a temporary mitigation as the underlying authorization flaw remains. Additionally, audit Twilio account activity logs for unauthorized phone number purchases or deletions, and review Status Page API configurations to minimize projectId exposure where feasible. No effective workaround exists that maintains full notification functionality without the authentication fix.
The ngx_http_parse_chunked function in http/ngx_http_parse.c in nginx 1.3.9 through 1.4.0 allows remote attackers to cau
A critical vulnerability in Kubernetes ingress-nginx controller allows unauthenticated attackers with pod network access
nginx 0.8.41 through 1.4.3 and 1.5.x before 1.5.7 allows remote attackers to bypass intended restrictions via an unescap
An issue was discovered on GL.iNet devices before version 4.5.0. Rated critical severity (CVSS 9.8), this vulnerability
Nginx versions since 0.5.6 up to and including 1.13.2 are vulnerable to integer overflow vulnerability in nginx range fi
The resolver in nginx before 1.8.1 and 1.9.x before 1.9.10 allows remote attackers to cause a denial of service (invalid
Kubernetes ingress-nginx contains a configuration injection vulnerability via the mirror-target and mirror-host Ingress
A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingres
A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-c
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Rated critical severity (CVSS 9.8
The STARTTLS implementation in mail/ngx_mail_smtp_handler.c in the SMTP proxy in nginx 1.5.x and 1.6.x before 1.6.1 and
Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows remote attackers to crash worker
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-18513