Description
OneUptime is a solution for monitoring and managing online services. Prior to version 10.0.34, the fix for CVE-2026-32306 (ClickHouse SQL injection via aggregate query parameters) added column name validation to the _aggregateBy method but did not apply the same validation to three other query construction paths in StatementGenerator. The toSortStatement, toSelectStatement, and toGroupByStatement methods accept user-controlled object keys from API request bodies and interpolate them as ClickHouse Identifier parameters without verifying they correspond to actual model columns. ClickHouse Identifier parameters are substituted directly into queries without escaping, so an attacker who can reach any analytics list or aggregate endpoint can inject arbitrary SQL through crafted sort, select, or groupBy keys. This issue has been patched in version 10.0.34.
Published: 2026-03-20
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection
Action: Immediate Patch
AI Analysis

Impact

Unvalidated column identifiers are accepted for sort, select, and groupBy parameters in API requests, and these names are inserted directly into ClickHouse identifiers without escaping. An attacker who can reach any analytics list or aggregate endpoint can craft values that inject arbitrary SQL, potentially gaining unauthorized data access or broader control over the database.

Affected Systems

Versions of OneUptime older than 10.0.34 are affected. The vulnerability exists in the OneUptime monitoring and management platform; any instance exposing the analytics or aggregate APIs is at risk.

Risk and Exploitability

The CVSS score of 8.1 indicates high severity, and while the EPSS score of less than 1% suggests low current exploitation likelihood, the lack of KEV listing does not diminish the need for remediation. Exploitation requires the attacker to send a crafted request to the relevant endpoints; if successful, it could lead to confidentiality or integrity violations within the underlying ClickHouse database.

Generated by OpenCVE AI on March 24, 2026 at 03:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the OneUptime instance to version 10.0.34 or newer to apply the fix that validates column names in all query construction paths.
  • Ensure the upgrade is properly propagated to all nodes in the environment.
  • Limit access to the analytics and aggregate APIs to trusted users or IP ranges until the patch is applied.
  • Monitor logs for suspicious sort, select, or groupBy requests that may indicate attempted exploitation.
  • If a rapid patch is unavailable, consider temporarily disabling the affected endpoints to prevent exploitation.

Generated by OpenCVE AI on March 24, 2026 at 03:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-gcg3-c5p2-cqgg OneUptime ClickHouse vulnerable to SQL Injection via unvalidated column identifiers in sort, select, and groupBy parameters
History

Wed, 25 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 24 Mar 2026 02:30:00 +0000

Type Values Removed Values Added
First Time appeared Hackerbay
Hackerbay oneuptime
CPEs cpe:2.3:a:hackerbay:oneuptime:*:*:*:*:*:*:*:*
Vendors & Products Hackerbay
Hackerbay oneuptime

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Oneuptime
Oneuptime oneuptime
Vendors & Products Oneuptime
Oneuptime oneuptime

Fri, 20 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Description OneUptime is a solution for monitoring and managing online services. Prior to version 10.0.34, the fix for CVE-2026-32306 (ClickHouse SQL injection via aggregate query parameters) added column name validation to the _aggregateBy method but did not apply the same validation to three other query construction paths in StatementGenerator. The toSortStatement, toSelectStatement, and toGroupByStatement methods accept user-controlled object keys from API request bodies and interpolate them as ClickHouse Identifier parameters without verifying they correspond to actual model columns. ClickHouse Identifier parameters are substituted directly into queries without escaping, so an attacker who can reach any analytics list or aggregate endpoint can inject arbitrary SQL through crafted sort, select, or groupBy keys. This issue has been patched in version 10.0.34.
Title OneUptime: ClickHouse SQL Injection via unvalidated column identifiers in sort, select, and groupBy parameters
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Hackerbay Oneuptime
Oneuptime Oneuptime
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-25T13:42:27.751Z

Reserved: 2026-03-17T20:35:49.929Z

Link: CVE-2026-33142

cve-icon Vulnrichment

Updated: 2026-03-25T13:42:18.353Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-20T21:17:14.770

Modified: 2026-03-23T20:34:10.660

Link: CVE-2026-33142

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:34:43Z

Weaknesses