Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.
9.9

OneUptime: Unauthorized access to other businesses' data

GHSA-r5v6-2599-9g3m CVE-2026-30956 GHSA-r5v6-2599-9g3m
Summary

A vulnerability in OneUptime version 10.0.20 and earlier allows a malicious user to view and manipulate sensitive information belonging to other businesses, including their account passwords. This could lead to data theft and complete control over affected accounts. Update to version 10.0.21 to fix this issue.

What to do
  • Update oneuptime common to version 10.0.21.
  • Update oneuptime @oneuptime/common to version 10.0.21.
Affected software
VendorProductAffected versionsFix available
oneuptime common <= 10.0.21 10.0.21
oneuptime @oneuptime/common <= 10.0.21 10.0.21
hackerbay oneuptime <= 10.0.21
Original title
OneUptime is a solution for monitoring and managing online services. Prior to 10.0.21, a low‑privileged user can bypass authorization and tenant isolation in OneUptime v10.0.20 and earlier by sendi...
Original description
OneUptime is a solution for monitoring and managing online services. Prior to 10.0.21, a low‑privileged user can bypass authorization and tenant isolation in OneUptime v10.0.20 and earlier by sending a forged is-multi-tenant-query header together with a controlled projectid header. Because the server trusts this client-supplied header, internal permission checks in BasePermission are skipped and tenant scoping is disabled. This allows attackers to access project data belonging to other tenants, read sensitive User fields via nested relations, leak plaintext resetPasswordToken, and reset the victim’s password and fully take over the account. This results in cross‑tenant data exposure and full account takeover. This vulnerability is fixed in 10.0.21.
ghsa CVSS3.1 10.0
Vulnerability type
CWE-285 Improper Authorization
CWE-862 Missing Authorization
Published: 10 Mar 2026 · Updated: 13 Mar 2026 · First seen: 10 Mar 2026