CVE-2026-34759

HighPublic PoC

Published: 02 April 2026

Published

02 April 2026

Modified

13 April 2026

KEV Added

—

Patch

—

CVSS Score 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0027 50.8th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

OneUptime is an open-source monitoring and observability platform. Prior to version 10.0.42, multiple notification API endpoints are registered without authentication middleware, while sibling endpoints in the same codebase correctly use ClusterKeyAuthorization.isAuthorizedServiceMiddleware. These endpoints are externally reachable via the Nginx proxy…

at /notification/. Combined with a projectId leak from the public Status Page API, an unauthenticated attacker can purchase phone numbers on the victim's Twilio account and delete all existing alerting numbers. This issue has been patched in version 10.0.42.

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

AC-3 requires enforcement of approved authorizations on all API endpoints, directly preventing unauthenticated access to notification APIs that allow Twilio account manipulation.

AC-14 Permitted Actions Without Identification or Authentication good match

prevent

AC-14 mandates identification and documentation of actions permitted without authentication, ensuring sensitive notification endpoints like those under /notification/ are not exposed without middleware.

SC-14 Public Access Protections good match

prevent

SC-14 implements security safeguards for publicly accessible system resources, protecting externally reachable notification APIs via Nginx proxy from unauthorized exploitation.

Security SummaryAI

CVE-2026-34759 is a missing authorization vulnerability (CWE-862) in OneUptime, an open-source monitoring and observability platform. In versions prior to 10.0.42, multiple notification API endpoints lack authentication middleware, even though sibling endpoints in the same codebase correctly implement ClusterKeyAuthorization.isAuthorizedServiceMiddleware. These unprotected endpoints are externally reachable through the Nginx proxy at /notification/.

An unauthenticated attacker can exploit this vulnerability over the network by first obtaining a projectId leaked from the public Status Page API. With this information, the attacker can then purchase phone numbers on the victim's Twilio account and delete all existing alerting numbers, leading to high impacts on confidentiality, integrity, and availability. The CVSS v3.1 base score is 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting the high severity despite the somewhat complex attack requirements.

The issue was patched in OneUptime version 10.0.42. Mitigation details are provided in the GitHub security advisory (GHSA-6wc5-rhvj-cx7f), the release notes for version 10.0.42, and the fixing commit 9adbd04538714740506708d6fa610e433be4d2a4.

Details

CWE(s): CWE-862

Affected Products

hackerbay

oneuptime

≤ 10.0.42

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Missing authorization on externally reachable public-facing API endpoints enables unauthenticated remote exploitation for unauthorized actions, directly mapping to T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/OneUptime/oneuptime/commit/9adbd04538714740506708d6fa610e433be4d2a4
Patch · security-advisories@github.com
https://github.com/OneUptime/oneuptime/releases/tag/10.0.42
Product, Release Notes · security-advisories@github.com
https://github.com/OneUptime/oneuptime/security/advisories/GHSA-6wc5-rhvj-cx7f
Exploit, Mitigation, Vendor Advisory · security-advisories@github.com