Description
OneUptime is an open-source monitoring and observability platform. Prior to version 10.0.42, multiple notification API endpoints are registered without authentication middleware, while sibling endpoints in the same codebase correctly use ClusterKeyAuthorization.isAuthorizedServiceMiddleware. These endpoints are externally reachable via the Nginx proxy at /notification/. Combined with a projectId leak from the public Status Page API, an unauthenticated attacker can purchase phone numbers on the victim's Twilio account and delete all existing alerting numbers. This issue has been patched in version 10.0.42.
Published: 2026-04-02
Score: 9.2 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Financial Abuse and Service Disruption
Action: Immediate Patch
AI Analysis

Impact

The vulnerability allows unauthenticated access to certain notification API endpoints in the monitoring platform. By exploiting these exempted routes, an attacker can purchase phone numbers associated with the victim’s Twilio account and delete existing alerting numbers, leading to direct financial loss and breakdown of essential monitoring notifications. This loss of notification integrity threatens the availability of monitoring services and can disrupt alerting workflows.

Affected Systems

The affected product is the open‑source OneUptime monitoring platform, specifically all releases before version 10.0.42. Any deployment of these earlier releases with an exposed Nginx proxy at the /notification/ path is vulnerable.

Risk and Exploitability

The vulnerability carries a CVSS score of 9.2, indicating high severity. No EPSS score is published, and it is not listed in CISA’s KEV catalog. Attackers can reach the vulnerable endpoints from the Internet through the Nginx reverse proxy, so the attack vector is external network. The exploit requires only that the attacker discovers the public subscriber IDs exposed via the Status Page API; once known, authentication is not required to purchase numbers or delete alerts. Because the endpoints lack any form of authorization middleware, the condition for exploitation is trivial for an external adversary.

Generated by OpenCVE AI on April 2, 2026 at 22:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OneUptime to version 10.0.42 or later, where the authentication middleware is applied to all notification endpoints.
  • If upgrading is not immediately possible, restrict access to the /notification/ path on the Nginx proxy using network access controls or basic authentication to block unauthenticated callers.
  • Rotate Twilio credentials and review account usage for unauthorized number purchases.
  • Verify that the public Status Page API no longer exposes project identifiers and adjust the configuration to hide sensitive IDs.

Generated by OpenCVE AI on April 2, 2026 at 22:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 03 Apr 2026 14:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Oneuptime
Oneuptime oneuptime
Vendors & Products Oneuptime
Oneuptime oneuptime

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description OneUptime is an open-source monitoring and observability platform. Prior to version 10.0.42, multiple notification API endpoints are registered without authentication middleware, while sibling endpoints in the same codebase correctly use ClusterKeyAuthorization.isAuthorizedServiceMiddleware. These endpoints are externally reachable via the Nginx proxy at /notification/. Combined with a projectId leak from the public Status Page API, an unauthenticated attacker can purchase phone numbers on the victim's Twilio account and delete all existing alerting numbers. This issue has been patched in version 10.0.42.
Title OneUptime: Unauthenticated notification API endpoints - financial abuse via phone number purchase, service disruption, and SMTP credential exposure
Weaknesses CWE-862
References
Metrics cvssV4_0

{'score': 9.2, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Oneuptime Oneuptime
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-03T12:58:14.882Z

Reserved: 2026-03-30T19:17:10.225Z

Link: CVE-2026-34759

cve-icon Vulnrichment

Updated: 2026-04-03T12:58:11.691Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-04-02T19:21:33.833

Modified: 2026-04-03T16:10:23.730

Link: CVE-2026-34759

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T09:16:34Z

Weaknesses