Description
OneUptime is an open-source monitoring and observability platform. Prior to version 10.0.42, multiple notification API endpoints are registered without authentication middleware, while sibling endpoints in the same codebase correctly use ClusterKeyAuthorization.isAuthorizedServiceMiddleware. These endpoints are externally reachable via the Nginx proxy at /notification/. Combined with a projectId leak from the public Status Page API, an unauthenticated attacker can purchase phone numbers on the victim's Twilio account and delete all existing alerting numbers. This issue has been patched in version 10.0.42.
Published: 2026-04-02
Score: 9.2 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Financial loss and service disruption
Action: Immediate Patch
AI Analysis

Impact

Unprotected notification APIs in OneUptime prior to version 10.0.42 allow unauthenticated callers to trigger Twilio phone number purchases and delete existing alerting numbers, resulting in direct financial abuse. When combined with an exposed project identifier from the public status page API, attackers can reset notification settings and remove service endpoints, causing widespread service disruptions. The vulnerability is classified as a missing authorization flaw.

Affected Systems

The product affected is the OneUptime monitoring and observability platform, with vendor OneUptime. All releases earlier than 10.0.42 contain the flaw; the issue was resolved in release 10.0.42.

Risk and Exploitability

The CVSS score of 9.2 reflects a high severity level, while the EPSS score of less than 1 percent indicates a low probability of widespread exploitation under current conditions. The vulnerability is not listed in the CISA KEV catalog. An attacker could exploit the flaw by sending unauthenticated HTTP requests to the /notification/ endpoints exposed through the Nginx proxy, using a publicly available project identifier to target specific instances.

Generated by OpenCVE AI on April 13, 2026 at 21:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OneUptime to version 10.0.42 or later
  • Ensure authentication middleware is enabled for all notification endpoints
  • Verify that project identifiers are not exposed through public APIs
  • Implement rate limiting or IP restrictions on the /notification/ endpoints
  • Regularly monitor Twilio usage for unauthorized number purchases

Generated by OpenCVE AI on April 13, 2026 at 21:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 13 Apr 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Hackerbay
Hackerbay oneuptime
CPEs cpe:2.3:a:hackerbay:oneuptime:*:*:*:*:*:*:*:*
Vendors & Products Hackerbay
Hackerbay oneuptime
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Fri, 03 Apr 2026 14:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Oneuptime
Oneuptime oneuptime
Vendors & Products Oneuptime
Oneuptime oneuptime

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description OneUptime is an open-source monitoring and observability platform. Prior to version 10.0.42, multiple notification API endpoints are registered without authentication middleware, while sibling endpoints in the same codebase correctly use ClusterKeyAuthorization.isAuthorizedServiceMiddleware. These endpoints are externally reachable via the Nginx proxy at /notification/. Combined with a projectId leak from the public Status Page API, an unauthenticated attacker can purchase phone numbers on the victim's Twilio account and delete all existing alerting numbers. This issue has been patched in version 10.0.42.
Title OneUptime: Unauthenticated notification API endpoints - financial abuse via phone number purchase, service disruption, and SMTP credential exposure
Weaknesses CWE-862
References
Metrics cvssV4_0

{'score': 9.2, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Hackerbay Oneuptime
Oneuptime Oneuptime
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-03T12:58:14.882Z

Reserved: 2026-03-30T19:17:10.225Z

Link: CVE-2026-34759

cve-icon Vulnrichment

Updated: 2026-04-03T12:58:11.691Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-02T19:21:33.833

Modified: 2026-04-13T18:45:18.940

Link: CVE-2026-34759

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:41:56Z

Weaknesses