Description
OneUptime is a solution for monitoring and managing online services. Prior to 10.0.21, a low‑privileged user can bypass authorization and tenant isolation in OneUptime v10.0.20 and earlier by sending a forged is-multi-tenant-query header together with a controlled projectid header. Because the server trusts this client-supplied header, internal permission checks in BasePermission are skipped and tenant scoping is disabled. This allows attackers to access project data belonging to other tenants, read sensitive User fields via nested relations, leak plaintext resetPasswordToken, and reset the victim’s password and fully take over the account. This results in cross‑tenant data exposure and full account takeover. This vulnerability is fixed in 10.0.21.
Published: 2026-03-10
Score: 10 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Authorization bypass leading to cross‑tenant data exposure and account takeover
Action: Immediate Patch
AI Analysis

Impact

The vulnerability originates from a client‑controlled is‑multi‑tenant‑query header that, when forged together with a projectid header, causes the server to skip internal permission checks in BasePermission. This authorization bypass allows a low‑privileged user to read data from other tenants, expose sensitive user information such as resetPasswordToken, and reset victim passwords, leading to full account takeover. The weakness is classified by CWE‑285 and CWE‑862.

Affected Systems

Affected deployments are those running OneUptime version 10.0.20 or earlier. The vulnerability was fixed in release 10.0.21. All installations of OneUptime that have not applied the latest patch remain vulnerable.

Risk and Exploitability

Risk is severe with a CVSS score of 10 and an EPSS of <1 %. The CVE enables a low‑privileged user to forge the is‑multi‑tenant‑query and projectid headers, bypassing permission checks and allowing read access to other tenants’ data, exposure of sensitive user fields, and full account takeover. No public exploits have been reported, and the vulnerability is not listed in the KEV catalog.

Generated by OpenCVE AI on April 16, 2026 at 09:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to OneUptime version 10.0.21 or later to apply the vendor fix.
  • Check the vendor’s website or security advisories for any additional patches and apply them promptly.
  • Audit projects for unauthorized cross‑tenant data access, reset passwords for accounts that may have been compromised, and verify permissions.

Generated by OpenCVE AI on April 16, 2026 at 09:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-r5v6-2599-9g3m OneUptime has authorization bypass via client‑controlled is-multi-tenant-query header that leads to cross‑tenant data exposure and account takeover
History

Thu, 12 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Hackerbay
Hackerbay oneuptime
CPEs cpe:2.3:a:hackerbay:oneuptime:*:*:*:*:*:*:*:*
Vendors & Products Hackerbay
Hackerbay oneuptime

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Oneuptime
Oneuptime oneuptime
Vendors & Products Oneuptime
Oneuptime oneuptime

Tue, 10 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 10 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Description OneUptime is a solution for monitoring and managing online services. Prior to 10.0.21, a low‑privileged user can bypass authorization and tenant isolation in OneUptime v10.0.20 and earlier by sending a forged is-multi-tenant-query header together with a controlled projectid header. Because the server trusts this client-supplied header, internal permission checks in BasePermission are skipped and tenant scoping is disabled. This allows attackers to access project data belonging to other tenants, read sensitive User fields via nested relations, leak plaintext resetPasswordToken, and reset the victim’s password and fully take over the account. This results in cross‑tenant data exposure and full account takeover. This vulnerability is fixed in 10.0.21.
Title OneUptime has authorization bypass via client‑controlled is-multi-tenant-query header
Weaknesses CWE-285
CWE-862
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Hackerbay Oneuptime
Oneuptime Oneuptime
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-10T19:06:41.378Z

Reserved: 2026-03-07T17:34:39.981Z

Link: CVE-2026-30956

cve-icon Vulnrichment

Updated: 2026-03-10T18:25:34.148Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T18:18:54.587

Modified: 2026-03-12T14:11:58.990

Link: CVE-2026-30956

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T09:45:31Z

Weaknesses