CRITICAL🇵🇱 Wersja polska

CVE-2026-30956

CVSS 9.9v3.1pub. 2026-03-10upd. 2026-03-12

OneUptime is a solution for monitoring and managing online services. Prior to 10.0.21, a low‑privileged user can bypass authorization and tenant isolation in OneUptime v10.0.20 and earlier by sending a forged is-multi-tenant-query header together with a controlled projectid header. Because the server trusts this client-supplied header, internal permission checks in BasePermission are skipped and tenant scoping is disabled. This allows attackers to access project data belonging to other tenants, read sensitive User fields via nested relations, leak plaintext resetPasswordToken, and reset the victim’s password and fully take over the account. This results in cross‑tenant data exposure and full account takeover. This vulnerability is fixed in 10.0.21.

🤖 AI Analysis
How it works

An attacker sends an HTTP request containing a spoofed 'is-multi-tenant-query' header along with a controlled 'projectid' header. The server unconditionally trusts these headers supplied by the client, as a result internal permission control mechanisms in the BasePermission component are bypassed, and the restriction of data scope to a specific tenant is disabled. This allows the attacker to read project data belonging to other tenants, including sensitive user fields and password reset token in plaintext, and then reset the victim's password.

Impact

An attacker can gain access to sensitive project data of any tenant and intercept plaintext resetPasswordToken, leading to complete account takeover of the victim and cross-tenant data exposure.

Mitigation & patch

OneUptime should be updated to version 10.0.21, in which the vulnerability has been fixed. Patch available in vendor references: https://github.com/OneUptime/oneuptime/releases/tag/10.0.21

Who is affected

OneUptime (Hackerbay) in versions up to 10.0.20 inclusive

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
  • Hackerbay Oneuptime

    APP
    Hackerbay
    < 10.0.21
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2026-35053CRITICAL9.2PL ✓ten sam produkt

Brak uwierzytelnienia w endpointach workflow w OneUptime (RCE)

CVE-2026-34759CRITICAL9.2PL ✓ten sam produkt

Brak uwierzytelnienia w API powiadomień OneUptime — obejście autoryzacji

CVE-2026-34758CRITICAL9.1PL ✓ten sam produkt

OneUptime: nieautoryzowany dostęp do endpointów powiadomień i zarządzania numerami

CVE-2026-33396CRITICAL9.9PL ✓ten sam produkt

RCE w OneUptime — command injection przez Playwright w Synthetic Monitor

CVE-2026-32306CRITICAL9.9PL ✓ten sam produkt

SQL Injection w OneUptime — nieautoryzowany dostęp do bazy i potencjalny RCE