CVE-2026-34758 - Vulnerability Details

Description

OneUptime is an open-source monitoring and observability platform. Prior to version 10.0.42, unauthenticated access to Notification test and Phone Number management endpoints allows SMS/Call/Email/WhatsApp abuse and phone number purchase. This issue has been patched in version 10.0.42.

Published: 2026-04-02

Score: 9.1 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability arises from missing authentication checks on OneUptime’s Notification test and Phone Number management endpoints. An attacker who can send unauthenticated requests to these endpoints can trigger SMS, call, email, or WhatsApp messages and even purchase phone numbers. The lack of credential verification allows an external actor to abuse the platform’s communication capabilities, potentially spamming users, violating regulatory requirements, or incurring unexpected costs. This weakness is cataloged under CWE‑306, indicating an authentication bypass.

Affected Systems

The flaw affects the OneUptime open‑source monitoring and observability platform, specifically all releases prior to version 10.0.42. Users running 10.0.41 or earlier versions are vulnerable. Corporate deployments of OneUptime that expose the notification endpoints to external networks are at risk. Version 10.0.42 and newer contain the fix where authentication is enforced on the affected endpoints.

Risk and Exploitability

With a CVSS score of 9.1 the vulnerability is classified as critical. No EPSS score is available, but the absence of authentication suggests that exploitation requires only the discovery of the endpoints, which are exposed by default. The issue has not been listed in the CISA KEV catalog, yet the potential for large‑scale abuse makes it a high‑priority target. Consequently, the risk remains high until the platform is updated or network controls are applied.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

OneUptime

oneuptime

affected

Version	Status	Constraints
`< 10.0.42`	affected	—

Configuration 1 [-]

cpe:2.3:a:hackerbay:oneuptime:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Oneuptime

100%

Version	Status	Scheme	Platform
`[0,10.0.42)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update OneUptime to version 10.0.42 or later to cover the missing authentication checks.
If immediate update is not feasible, restrict network access to the Notification test and Phone Number management endpoints using firewalls or VPNs to limit exposure to trusted users.
Periodically review outbound communication logs for irregular SMS, call, email, or WhatsApp activity that could indicate exploitation.
Consider disabling or removing unnecessary notification features in the OneUptime configuration to reduce attack surface.

Generated by OpenCVE AI on April 2, 2026 at 22:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0003.

Exploitation poc

Automatable yes

Technical Impact total

References

Link	Providers
https://github.com/OneUptime/oneuptime/commit/9adbd04538714740506708d6fa610e433be4d2a4
https://github.com/OneUptime/oneuptime/releases/tag/10.0.42
https://github.com/OneUptime/oneuptime/security/advisories/GHSA-q253-6wcm-h8hp

History

Fri, 03 Apr 2026 20:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Hackerbay Hackerbay oneuptime
CPEs		cpe:2.3:a:hackerbay:oneuptime::::::::
Vendors & Products		Hackerbay Hackerbay oneuptime

Fri, 03 Apr 2026 16:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Fri, 03 Apr 2026 10:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Oneuptime Oneuptime oneuptime
Vendors & Products		Oneuptime Oneuptime oneuptime

Thu, 02 Apr 2026 20:30:00 +0000

Type	Values Removed	Values Added
Description		OneUptime is an open-source monitoring and observability platform. Prior to version 10.0.42, unauthenticated access to Notification test and Phone Number management endpoints allows SMS/Call/Email/WhatsApp abuse and phone number purchase. This issue has been patched in version 10.0.42.
Title		OneUptime: Missing Authentication on Notification Endpoints
Weaknesses		CWE-306
References		https://github.com/OneUptime/oneuptime/commit/9adbd04538714740506708d6fa610e433be4d2a4 https://github.com/OneUptime/oneuptime/releases/tag/10.0.42 https://github.com/OneUptime/oneuptime/security/advisories/GHSA-q253-6wcm-h8hp
Metrics		cvssV3_1 `{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}`

Subscriptions

Hackerbay Oneuptime

Oneuptime Oneuptime

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-04-02T18:49:29.826Z

Updated: 2026-04-03T15:58:23.101Z

Reserved: 2026-03-30T19:17:10.225Z

Link: CVE-2026-34758

Vulnrichment

Updated: 2026-04-03T15:57:54.784Z

NVD

Status : Analyzed

Published: 2026-04-02T19:21:33.670

Modified: 2026-04-03T19:52:26.097

Link: CVE-2026-34758

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-03T09:16:35Z

Weaknesses

CWE-306

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

Exploitation poc

Automatable yes

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object