The vulnerability lies in the resend-verification-code endpoint of OneUptime’s UserWhatsApp API. Any authenticated user can request a resend of a WhatsApp verification code for any UserWhatsApp record by specifying its ID, while the endpoint does not verify that the requesting user owns the target record. This enables an attacker who has legitimate credentials to obtain a verification code for another user’s WhatsApp account, potentially facilitating account takeover or phishing. The implementation flaw aligns with multiple CWE identifiers, including improper authorization handling.

Affected systems are deployments of OneUptime’s monitoring solution. The vulnerability applies to versions of the software where the UserWhatsAppAPI.ts and UserWhatsAppService.ts lack ownership checks. Specific version numbers are not listed in the advisory; however, the issue was addressed in the 10.0.21 release noted in the references.

The CVSS score of 5.3 indicates a medium impact overall, and the EPSS metric reports less than 1% probability of exploitation, suggesting that while the flaw is moderate in severity, it is currently considered unlikely to be actively exploited. Nevertheless, the vulnerability is not listed in the CISA KEV catalog. The attack vector is likely network-based, requiring only an authenticated session; any user with valid credentials could abuse the endpoint. The absence of ownership validation means that nominal security controls are bypassed, giving attackers the same level of access as legitimate users locally.