CVE-2026-30920
Received Received - Intake
Authorization Bypass in OneUptime GitHub App Enables Project Hijacking

Publication date: 2026-03-10

Last updated on: 2026-03-12

Assigner: GitHub, Inc.

Description
OneUptime is a solution for monitoring and managing online services. Prior to 10.0.19, OneUptime's GitHub App callback trusts attacker-controlled state and installation_id values and updates Project.gitHubAppInstallationId with isRoot: true without validating that the caller is authorized for the target project. This allows an attacker to overwrite another project's GitHub App installation binding. Related GitHub endpoints also lack effective authorization, so a valid installation ID can be used to enumerate repositories and create CodeRepository records in an arbitrary project. This vulnerability is fixed in 10.0.19.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-10
Last Modified
2026-03-12
Generated
2026-06-16
AI Q&A
2026-03-10
EPSS Evaluated
2026-06-15
NVD
CVE-2026-30920
EUVD
EUVD-2026-10432
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
hackerbay oneuptime to 10.0.19 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
CWE-345 The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-30920 is a broken access control vulnerability in the GitHub App installation flow of the OneUptime project versions prior to 10.0.19.'}, {'type': 'paragraph', 'content': "The vulnerability occurs because the GitHub App callback endpoint trusts attacker-controlled, unsigned base64-encoded JSON values in the 'state' and 'installation_id' parameters without proper validation or authorization."}, {'type': 'paragraph', 'content': "Specifically, the callback decodes the 'state' parameter containing 'projectId' and 'userId' without verifying authenticity or binding it to a session, allowing an attacker to supply arbitrary values."}, {'type': 'paragraph', 'content': "This enables an attacker to update the Project.gitHubAppInstallationId field with root privileges for any project, effectively overwriting another project's GitHub App installation binding."}, {'type': 'paragraph', 'content': 'Additionally, related GitHub API endpoints lack effective authorization, allowing repository enumeration and creation of CodeRepository records in arbitrary projects using a valid installation ID.'}] [1]

Impact Analysis

This vulnerability can lead to unauthorized modification of project GitHub App bindings, allowing attackers to overwrite installation IDs with root privileges.

Attackers can cause temporary disruption of GitHub integrations by changing installation bindings.

It also enables cross-project binding of attacker-controlled installations, disclosure of repository metadata, and unauthorized creation of code repository records.

Because the attack requires no privileges or user interaction and has low complexity, it poses a high risk to affected systems.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for unusual or unauthorized GitHub App callback requests that include attacker-controlled, unsigned base64-encoded JSON values in the `state` and `installation_id` parameters. Specifically, look for callback requests where the `state` parameter contains arbitrary `projectId` and `userId` values without proper validation.'}, {'type': 'paragraph', 'content': 'Detection commands could include inspecting web server logs or API gateway logs for suspicious callback requests to the GitHub App callback endpoint that contain base64-encoded `state` parameters. Decoding these parameters and verifying their authenticity can help identify exploitation attempts.'}, {'type': 'list_item', 'content': 'Use command-line tools like `grep` or `jq` to extract and decode the `state` parameter from logs, for example:'}, {'type': 'list_item', 'content': "grep 'callback' /var/log/oneuptime/access.log | grep 'state=' | cut -d'=' -f2 | base64 --decode | jq '.'"}, {'type': 'list_item', 'content': 'Monitor for unexpected updates to `Project.gitHubAppInstallationId` fields with `isRoot: true` in your database or application logs.'}] [1]

Mitigation Strategies

The immediate mitigation step is to upgrade the OneUptime package to version 10.0.19 or later, where this vulnerability has been fixed.

Additionally, review and restrict access to the GitHub App callback endpoints to ensure proper authorization checks are in place, and validate all incoming `state` and `installation_id` parameters to confirm they are authentic and authorized for the target project.

Monitor your projects for any unauthorized changes to GitHub App installation bindings and revoke any suspicious installation tokens.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-30920. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart