CVE-2026-34759
Last modified
CVE-2026-34759 is a critical-severity vulnerability rated 9.2/10 on the CVSS scale. OneUptime is an open-source monitoring and observability platform. Prior to version 10.0.42, multiple notification API endpoints are registered without authentication middleware, while sibling endpoints in the same codebase correctly use ClusterKeyAuthorization.isAuthorizedServiceMiddleware. EPSS estimates a 0.60% chance of exploitation in the next 30 days.
Description
OneUptime is an open-source monitoring and observability platform. Prior to version 10.0.42, multiple notification API endpoints are registered without authentication middleware, while sibling endpoints in the same codebase correctly use ClusterKeyAuthorization.isAuthorizedServiceMiddleware. These endpoints are externally reachable via the Nginx proxy at /notification/. Combined with a projectId leak from the public Status Page API, an unauthenticated attacker can purchase phone numbers on the victim's Twilio account and delete all existing alerting numbers. This issue has been patched in version 10.0.42.
Metrics
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Hackerbay | Oneuptime | < 10.0.42 |
References
- https://github.com/OneUptime/oneuptime/releases/tag/10.0.42Product, Release Notes
- https://github.com/OneUptime/oneuptime/security/advisories/GHSA-6wc5-rhvj-cx7fExploit, Mitigation, Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2026-34759?
How severe is CVE-2026-34759?
How do I fix CVE-2026-34759?
Are you affected by CVE-2026-34759?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST