Description
OneUptime is a solution for monitoring and managing online services. Prior to 10.0.24, the password reset flow logs the complete password reset URL — containing the plaintext reset token — at INFO log level, which is enabled by default in production. Anyone with access to application logs (log aggregation, Docker logs, Kubernetes pod logs) can intercept reset tokens and perform account takeover on any user. This vulnerability is fixed in 10.0.24.
Published: 2026-03-12
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Account Takeover
Action: Upgrade
AI Analysis

Impact

The vulnerability is in OneUptime’s password reset flow prior to version 10.0.24. The application logs the full password reset URL, including the reset token in plaintext, at the default INFO log level. This is a CWE‑532 weakness where sensitive data is written to logs. As a result, anyone who can read the application logs can capture a valid reset token and subsequently perform an account takeover for any user of the system.

Affected Systems

Affected products are OneUptime – the open‑source monitoring platform – with all releases before 10.0.24. The vulnerability exists in the password reset implementation under the product name oneuptime. No specific sub‑version ranges are listed beyond the note that the fix is in 10.0.24, so all prior releases are considered impacted.

Risk and Exploitability

The CVSS score is 6.9, indicating a moderate severity. The EPSS score is below 1 %, suggesting a low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires access to the application logs, which may be available via Docker logs, Kubernetes pod logs, or a log aggregation system. If log access is restricted to privileged users, the risk is mitigated; otherwise an attacker who can read logs could acquire a reset token and impersonate any user. The likely attack vector is based on log access rather than a typical remote exposure.

Generated by OpenCVE AI on March 17, 2026 at 21:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OneUptime to version 10.0.24 or later

Generated by OpenCVE AI on March 17, 2026 at 21:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-4524-cj9j-g4fj OneUptime: Password Reset Token Logged at INFO Level
History

Tue, 17 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Hackerbay
Hackerbay oneuptime
CPEs cpe:2.3:a:hackerbay:oneuptime:*:*:*:*:*:*:*:*
Vendors & Products Hackerbay
Hackerbay oneuptime
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Sat, 14 Mar 2026 04:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 13 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Oneuptime
Oneuptime oneuptime
Vendors & Products Oneuptime
Oneuptime oneuptime

Thu, 12 Mar 2026 21:45:00 +0000

Type Values Removed Values Added
Description OneUptime is a solution for monitoring and managing online services. Prior to 10.0.24, the password reset flow logs the complete password reset URL — containing the plaintext reset token — at INFO log level, which is enabled by default in production. Anyone with access to application logs (log aggregation, Docker logs, Kubernetes pod logs) can intercept reset tokens and perform account takeover on any user. This vulnerability is fixed in 10.0.24.
Title OneUptime: Password Reset Token Logged at INFO Level
Weaknesses CWE-532
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Hackerbay Oneuptime
Oneuptime Oneuptime
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-14T03:45:17.998Z

Reserved: 2026-03-12T14:54:24.269Z

Link: CVE-2026-32598

cve-icon Vulnrichment

Updated: 2026-03-14T03:45:13.337Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-13T19:55:09.670

Modified: 2026-03-17T20:06:09.410

Link: CVE-2026-32598

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T10:00:06Z

Weaknesses