Description
OneUptime is a solution for monitoring and managing online services. Prior to 10.0.19, OneUptime's GitHub App callback trusts attacker-controlled state and installation_id values and updates Project.gitHubAppInstallationId with isRoot: true without validating that the caller is authorized for the target project. This allows an attacker to overwrite another project's GitHub App installation binding. Related GitHub endpoints also lack effective authorization, so a valid installation ID can be used to enumerate repositories and create CodeRepository records in an arbitrary project. This vulnerability is fixed in 10.0.19.
Published: 2026-03-09
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized project binding and data exposure
Action: Immediate Patch
AI Analysis

Impact

OneUptime allowed unverified GitHub App callback parameters to reset a project’s GitHubAppInstallationId and set isRoot to true, creating an unauthorized root relationship with that project. This flaw also permits an attacker to enumerate repositories and create CodeRepository records for arbitrary projects using valid installation IDs. The weakness is rooted in improper access control and environment validation—CWE-345, CWE-639, and CWE-862—leading to potential compromise of project integrity and confidentiality.

Affected Systems

The vulnerability affects OneUptime across all versions prior to 10.0.19. No specific sub‑product or third‑party component is mentioned; the primary product is the OneUptime monitoring platform.

Risk and Exploitability

With a CVSS base score of 8.6, the vulnerability is high severity, yet the EPSS score of less than 1% indicates a low probability of exploitation at present. The flaw is not listed in the CISA KEV catalogue. An attacker would need to craft or obtain a malicious GitHub App installation callback that supplies attacker‑controlled state and installation_id values, a scenario that is plausible but not trivial without access to a GitHub App environment. The lack of effective authorization on related GitHub endpoints further expands the surface for enumeration and data insertion once the initial binding bypass is achieved.

Generated by OpenCVE AI on April 16, 2026 at 10:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OneUptime to version 10.0.19 or later to apply the vendor fix.
  • If an upgrade is not immediately possible, implement validation logic to ensure that the state and installation_id received from the GitHub callback are verified against the authorized project before updating Project.gitHubAppInstallationId.
  • Audit GitHub event logs and monitor for unexpected changes to Project.gitHubAppInstallationId or unexpected CodeRepository creations to detect potential exploitation attempts.

Generated by OpenCVE AI on April 16, 2026 at 10:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-656w-6f6c-m9r6 OneUptime has broken access control in GitHub App installation flow that allows unauthorized project binding
History

Thu, 12 Mar 2026 13:45:00 +0000

Type Values Removed Values Added
First Time appeared Hackerbay
Hackerbay oneuptime
CPEs cpe:2.3:a:hackerbay:oneuptime:*:*:*:*:*:*:*:*
Vendors & Products Hackerbay
Hackerbay oneuptime

Tue, 10 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Oneuptime
Oneuptime oneuptime
Vendors & Products Oneuptime
Oneuptime oneuptime

Mon, 09 Mar 2026 23:15:00 +0000

Type Values Removed Values Added
Description OneUptime is a solution for monitoring and managing online services. Prior to 10.0.19, OneUptime's GitHub App callback trusts attacker-controlled state and installation_id values and updates Project.gitHubAppInstallationId with isRoot: true without validating that the caller is authorized for the target project. This allows an attacker to overwrite another project's GitHub App installation binding. Related GitHub endpoints also lack effective authorization, so a valid installation ID can be used to enumerate repositories and create CodeRepository records in an arbitrary project. This vulnerability is fixed in 10.0.19.
Title OneUptime has broken access control in GitHub App installation flow that allows unauthorized project binding
Weaknesses CWE-345
CWE-639
CWE-862
References
Metrics cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L'}

Subscriptions

Hackerbay Oneuptime
Oneuptime Oneuptime
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-10T14:14:51.667Z

Reserved: 2026-03-07T16:40:05.884Z

Link: CVE-2026-30920

cve-icon Vulnrichment

Updated: 2026-03-10T14:14:40.052Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T17:40:16.000

Modified: 2026-03-12T13:43:38.543

Link: CVE-2026-30920

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T10:15:26Z

Weaknesses