OneUptime GitHub App allows unauthorized access to other projects

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

8.6

OneUptime GitHub App allows unauthorized access to other projects

GHSA-656w-6f6c-m9r6 CVE-2026-30920 GHSA-656w-6f6c-m9r6

Summary

OneUptime's GitHub App has a security flaw that could allow an attacker to access and manage other projects on GitHub. This could lead to unauthorized changes to project settings and data. Update to the latest version 10.0.19 to fix this issue.

What to do

Update oneuptime common to version 10.0.19.
Update oneuptime @oneuptime/common to version 10.0.19.

Affected software

Vendor	Product	Affected versions	Fix available
oneuptime	common	<= 10.0.19	10.0.19
oneuptime	@oneuptime/common	<= 10.0.19	10.0.19
hackerbay	oneuptime	<= 10.0.19	–

Original title

Original description

OneUptime is a solution for monitoring and managing online services. Prior to 10.0.19, OneUptime's GitHub App callback trusts attacker-controlled state and installation_id values and updates Project.gitHubAppInstallationId with isRoot: true without validating that the caller is authorized for the target project. This allows an attacker to overwrite another project's GitHub App installation binding. Related GitHub endpoints also lack effective authorization, so a valid installation ID can be used to enumerate repositories and create CodeRepository records in an arbitrary project. This vulnerability is fixed in 10.0.19.

ghsa CVSS3.1 8.6

Vulnerability type

CWE-345

CWE-639 Authorization Bypass Through User-Controlled Key

CWE-862 Missing Authorization

Published: 10 Mar 2026 · Updated: 13 Mar 2026 · First seen: 9 Mar 2026