Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-30956 is a critical authorization bypass vulnerability in OneUptime versions prior to 10.0.21. It occurs because the server trusts a client-supplied HTTP header called `is-multi-tenant-query`. When a low-privileged authenticated user includes this header set to true along with a controlled `projectid` header, the system disables internal authorization and tenant isolation checks.'}, {'type': 'paragraph', 'content': "This bypass causes the BasePermission module to skip all permission validations, allowing attackers to access and modify project data belonging to other tenants, read sensitive user fields including password hashes and plaintext reset password tokens, and ultimately reset victims' passwords to take over their accounts."}, {'type': 'paragraph', 'content': 'The root cause is improper handling of the `is-multi-tenant-query` header, which leads to missing and bypassed authorization checks, resulting in cross-tenant data exposure and full account takeover.'}] [1]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts including unauthorized access to project data of other tenants, exposure of sensitive user information such as password hashes and plaintext reset password tokens, and full account takeover of victim users.

• Attackers can bypass tenant isolation and authorization controls.
• Attackers can read and modify data belonging to other tenants.
• Attackers can obtain plaintext password reset tokens and reset victim passwords.
• Attackers can fully take over victim accounts without user interaction.

Overall, this leads to critical breaches of confidentiality, integrity, and availability of data and accounts within the OneUptime platform.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring API requests for the presence of the suspicious HTTP header `is-multi-tenant-query` set to `true` combined with a controlled `projectid` header. Such requests indicate attempts to bypass tenant isolation and authorization.'}, {'type': 'paragraph', 'content': 'Example detection commands could include inspecting HTTP traffic or logs for these headers in API requests, such as using network packet capture tools or log analysis.'}, {'type': 'list_item', 'content': 'Using tcpdump or Wireshark to filter HTTP headers containing `is-multi-tenant-query: true`.'}, {'type': 'list_item', 'content': 'Using grep or similar tools on server logs to find requests with `is-multi-tenant-query: true` and `projectid` headers.'}, {'type': 'list_item', 'content': "Example grep command: `grep -i 'is-multi-tenant-query: true' /var/log/oneuptime/access.log`"}, {'type': 'list_item', 'content': "Example curl command to test if the server improperly accepts the header: `curl -X POST https://your-oneuptime-instance/api/project/get-list -H 'authorization: Bearer <token>' -H 'projectid: <victim_project_id>' -H 'is-multi-tenant-query: true'` and observe if unauthorized data is returned."}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade OneUptime to version 10.0.21 or later, where this vulnerability is fixed.

Until the upgrade can be applied, restrict access to the affected API endpoints to trusted users only and monitor for suspicious requests containing the `is-multi-tenant-query` header.

Additionally, review and tighten authorization checks on the server side to ensure that client-supplied headers cannot disable tenant isolation or permission validations.

Useful 0 Not Useful 0