Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.3
OneUptime: Any authenticated user can resend WhatsApp verification codes
GHSA-cw6x-mw64-q6pv
CVE-2026-30959
GHSA-cw6x-mw64-q6pv
Summary
The OneUptime platform has a security issue that allows any user with an account to send verification codes to any WhatsApp account, even if they're not the owner. This could be used to gain unauthorized access to WhatsApp accounts. To fix this, OneUptime should update their code to only allow verified owners to resend verification codes.
What to do
- Update oneuptime common to version 10.0.21.
- Update oneuptime @oneuptime/common to version 10.0.21.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| oneuptime | common | <= 10.0.21 | 10.0.21 |
| oneuptime | @oneuptime/common | <= 10.0.21 | 10.0.21 |
| hackerbay | oneuptime | <= 10.0.21 | – |
Original title
OneUptime is a solution for monitoring and managing online services. The resend-verification-code endpoint allows any authenticated user to trigger a verification code resend for any UserWhatsApp r...
Original description
OneUptime is a solution for monitoring and managing online services. The resend-verification-code endpoint allows any authenticated user to trigger a verification code resend for any UserWhatsApp record by ID. Ownership is not validated (unlike the verify endpoint). This affects the UserWhatsAppAPI.ts endpoint and the UserWhatsAppService.ts service.
ghsa CVSS4.0
5.3
Vulnerability type
CWE-285
Improper Authorization
CWE-307
CWE-639
Authorization Bypass Through User-Controlled Key
CWE-862
Missing Authorization
Published: 10 Mar 2026 · Updated: 13 Mar 2026 · First seen: 10 Mar 2026