CVE-2026-32306

CriticalPublic PoC

Published: 13 March 2026

Published

13 March 2026

Modified

17 March 2026

KEV Added

—

Patch

—

CVSS Score 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.0046 63.9th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

OneUptime is a solution for monitoring and managing online services. Prior to 10.0.23, the telemetry aggregation API accepts user-controlled aggregationType, aggregateColumnName, and aggregationTimestampColumnName parameters and interpolates them directly into ClickHouse SQL queries via the .append() method (documented as "trusted SQL").…

There is no allowlist, no parameterized query binding, and no input validation. An authenticated user can inject arbitrary SQL into ClickHouse, enabling full database read (including telemetry data from all tenants), data modification, and potential remote code execution via ClickHouse table functions. This vulnerability is fixed in 10.0.23.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly prevents SQL injection by requiring validation of user-controlled parameters like aggregationType before interpolating into ClickHouse SQL queries.

SI-2 Flaw Remediation good match

prevent

Ensures timely identification, reporting, and correction of flaws such as the lack of input validation and parameterization in the telemetry API.

RA-5 Vulnerability Monitoring and Scanning good match

preventdetect

Requires vulnerability scanning that would identify the SQL injection vulnerability in the ClickHouse query construction, enabling remediation before exploitation.

Security SummaryAI

CVE-2026-32306 is a SQL injection vulnerability in OneUptime, an open-source solution for monitoring and managing online services. In versions prior to 10.0.23, the telemetry aggregation API accepts user-controlled parameters—aggregationType, aggregateColumnName, and aggregationTimestampColumnName—and interpolates them directly into ClickHouse SQL queries using the .append() method, which is documented as handling "trusted SQL." There is no allowlist, parameterized query binding, or input validation, allowing arbitrary SQL injection into the ClickHouse database.

An authenticated user with low privileges can exploit this vulnerability remotely with low complexity and no user interaction required. Successful exploitation enables full database read access, including sensitive telemetry data from all tenants, data modification, and potential remote code execution through ClickHouse table functions. The issue has a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) and is associated with CWE-89 (Improper Neutralization of Special Elements used in an SQL Command).

The vulnerability is fixed in OneUptime version 10.0.23. Additional details and mitigation guidance are available in the GitHub security advisory at https://github.com/OneUptime/oneuptime/security/advisories/GHSA-p5g2-jm85-8g35.

Details

CWE(s): CWE-89

Affected Products

hackerbay

oneuptime

≤ 10.0.23

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1213.006 Databases Collection

Adversaries may leverage databases to mine valuable information.

attack.mitre.org →

Why these techniques?

SQL injection in public-facing API (T1190) enables arbitrary database read access (T1213.006) and modification; potential RCE via ClickHouse functions further facilitates execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/OneUptime/oneuptime/security/advisories/GHSA-p5g2-jm85-8g35
Exploit, Mitigation, Vendor Advisory · security-advisories@github.com