Description
OneUptime is a solution for monitoring and managing online services. Prior to 10.0.23, the telemetry aggregation API accepts user-controlled aggregationType, aggregateColumnName, and aggregationTimestampColumnName parameters and interpolates them directly into ClickHouse SQL queries via the .append() method (documented as "trusted SQL"). There is no allowlist, no parameterized query binding, and no input validation. An authenticated user can inject arbitrary SQL into ClickHouse, enabling full database read (including telemetry data from all tenants), data modification, and potential remote code execution via ClickHouse table functions. This vulnerability is fixed in 10.0.23.
Published: 2026-03-12
Score: 10 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The telemetry aggregation API in OneUptime accepts parameters aggregationType, aggregateColumnName, and aggregationTimestampColumnName and directly interpolates them into ClickHouse SQL queries via an .append() method labeled as "trusted SQL." Without an allowlist, parameterized binding, or input validation, an authenticated user can inject arbitrary SQL. This SQL injection (CWE‑89) permits reading all tenant telemetry data, modifying database contents, and potentially executing code through ClickHouse table functions.

Affected Systems

All installations of OneUptime running a version earlier than 10.0.23 are vulnerable. The vulnerability was fixed in release 10.0.23, so any deployment whose version number is 10.0.22 or older, or that has not applied the patch, is at risk.

Risk and Exploitability

The vulnerability has a CVSS score of 10, signifying critical severity, and an EPSS score of less than 1%, indicating a low current exploitation probability. It is not listed in the CISA KEV catalog. Exploitation requires authenticated access to the telemetry aggregation API but does not require elevated privileges beyond those granted to a regular monitoring user. Successful exploitation would compromise the confidentiality, integrity, and potentially availability of all tenant telemetry data, and could lead to remote code execution on the underlying system.

Generated by OpenCVE AI on March 17, 2026 at 22:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official patch by upgrading OneUptime to version 10.0.23 or later.
  • Verify that the deployed instance has been updated by checking the application version endpoint or the configuration file.

Generated by OpenCVE AI on March 17, 2026 at 22:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-p5g2-jm85-8g35 OneUptime ClickHouse SQL Injection via Aggregate Query Parameters
History

Tue, 17 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Hackerbay
Hackerbay oneuptime
CPEs cpe:2.3:a:hackerbay:oneuptime:*:*:*:*:*:*:*:*
Vendors & Products Hackerbay
Hackerbay oneuptime

Sat, 14 Mar 2026 04:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 13 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Oneuptime
Oneuptime oneuptime
Vendors & Products Oneuptime
Oneuptime oneuptime

Thu, 12 Mar 2026 21:45:00 +0000

Type Values Removed Values Added
Description OneUptime is a solution for monitoring and managing online services. Prior to 10.0.23, the telemetry aggregation API accepts user-controlled aggregationType, aggregateColumnName, and aggregationTimestampColumnName parameters and interpolates them directly into ClickHouse SQL queries via the .append() method (documented as "trusted SQL"). There is no allowlist, no parameterized query binding, and no input validation. An authenticated user can inject arbitrary SQL into ClickHouse, enabling full database read (including telemetry data from all tenants), data modification, and potential remote code execution via ClickHouse table functions. This vulnerability is fixed in 10.0.23.
Title OneUptime ClickHouse SQL Injection via Aggregate Query Parameters
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Hackerbay Oneuptime
Oneuptime Oneuptime
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-14T03:42:22.271Z

Reserved: 2026-03-11T21:16:21.659Z

Link: CVE-2026-32306

cve-icon Vulnrichment

Updated: 2026-03-14T03:42:18.572Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-13T19:54:42.000

Modified: 2026-03-17T20:08:56.733

Link: CVE-2026-32306

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T10:00:15Z

Weaknesses