Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
6DescriptionGitHub Advisory
OneUptime is an open-source monitoring and observability platform. Prior to version 10.0.42, unauthenticated access to Notification test and Phone Number management endpoints allows SMS/Call/Email/WhatsApp abuse and phone number purchase. This issue has been patched in version 10.0.42.
AnalysisAI
Unauthenticated access to notification and phone management endpoints in OneUptime <10.0.42 allows remote attackers to abuse SMS, voice call, email, and WhatsApp messaging services and purchase phone numbers without authentication. The CVSS 9.1 (Critical) rating reflects network-accessible attack vector with no authentication required (PR:N) and low complexity (AC:L), enabling immediate abuse of platform communication services and potential financial fraud. Vendor-released patch available in version 10.0.42. No public exploit identified at time of analysis, though EPSS risk assessment would likely be elevated given the simplicity of exploitation and clear abuse potential.
Technical ContextAI
OneUptime is a comprehensive open-source monitoring and observability platform designed for infrastructure and application monitoring with integrated notification capabilities. This vulnerability stems from CWE-306 (Missing Authentication for Critical Function), where API endpoints responsible for testing notification channels (SMS, voice calls, email, WhatsApp) and managing phone number resources lack authentication enforcement. The affected CPE (cpe:2.3:a:oneuptime:oneuptime) indicates the core platform application is vulnerable. The CVSS vector indicates these endpoints are exposed over the network (AV:N) with no authentication barrier (PR:N), allowing any remote actor to invoke notification tests or phone number procurement functions. The underlying issue represents a common authentication bypass pattern in API design where administrative or resource-intensive operations are inadvertently exposed without proper access control validation.
RemediationAI
Upgrade immediately to OneUptime version 10.0.42 or later, which contains the authentication enforcement fix. The vendor-released patch is available via the official GitHub release at https://github.com/OneUptime/oneuptime/releases/tag/10.0.42, with the specific security fix implemented in commit 9adbd04538714740506708d6fa610e433be4d2a4 (https://github.com/OneUptime/oneuptime/commit/9adbd04538714740506708d6fa610e433be4d2a4). No workarounds are provided in the advisory; patching is the only effective remediation. Organizations should prioritize this upgrade to prevent unauthorized access to notification endpoints and phone number management functions. After upgrading, review platform logs for any suspicious notification test activity or unauthorized phone number purchases that may have occurred during the vulnerability window. Refer to the GitHub Security Advisory GHSA-q253-6wcm-h8hp for complete vendor guidance.
OS command injection in OneUptime monitoring platform before 10.0.7. Authenticated users can execute arbitrary commands
OneUptime prior to 10.0.21 has a fourth vulnerability in Synthetic monitoring exposing dangerous functionality.
Code injection in OneUptime monitoring via custom JS monitor using vm module. PoC and patch available.
OneUptime monitoring platform prior to 10.0.18 allows code injection (CVSS 9.9) enabling RCE through the monitoring conf
OneUptime prior to 10.0.21 has a third authorization bypass enabling low-privileged users to access admin functions.
OneUptime prior to 10.0.20 exposes dangerous functionality in Synthetic monitoring that enables code execution.
OneUptime is a solution for monitoring and managing online services. Rated high severity (CVSS 8.8), this vulnerability
OneUptime versions prior to 10.0.19 allow unauthenticated attackers to hijack GitHub App integrations across projects by
OneUptime is a solution for monitoring and managing online services. Rated high severity (CVSS 8.3), this vulnerability
OneUptime versions 10.0.11 and earlier contain an improper WebAuthn implementation where server-side challenge validatio
Unauthenticated path traversal in OneUptime versions before 10.0.21 allows remote attackers to read arbitrary files from
OneUptime is a solution for monitoring and managing online services. Rated medium severity (CVSS 6.9), this vulnerabilit
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-18511