CVE-2026-30959
Insecure Direct Object Reference in OneUptime UserWhatsApp API
Publication date: 2026-03-10
Last updated on: 2026-03-12
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| hackerbay | oneuptime | to 10.0.21 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-285 | The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action. |
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
| CWE-307 | The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame. |
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-30959 is an authorization bypass vulnerability in OneUptime's WhatsApp resend-verification-code API endpoint. It allows any authenticated user to trigger a verification code resend for any UserWhatsApp record by specifying its ID without validating ownership. Unlike the verify endpoint, which checks if the UserWhatsApp record belongs to the authenticated user, the resend-verification-code endpoint lacks this authorization check."}, {'type': 'paragraph', 'content': "This means an attacker with a valid account and knowledge of another user's UserWhatsApp item ID can cause verification codes to be sent repeatedly to that user's phone number."}] [2]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': "This vulnerability can be exploited to spam or perform denial-of-service attacks on victims' phone numbers by repeatedly triggering verification code resends. This can lead to social engineering pressure on the victim or cause account lockouts due to excessive verification attempts."}] [2]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability involves the resend-verification-code endpoint allowing any authenticated user to trigger a verification code resend for any UserWhatsApp record by ID without ownership validation.'}, {'type': 'paragraph', 'content': 'To detect exploitation attempts on your system or network, you can monitor POST requests to the /api/user-whats-app/resend-verification-code endpoint, especially those that include itemIds not belonging to the authenticated user.'}, {'type': 'paragraph', 'content': 'Suggested commands include inspecting web server or application logs for suspicious POST requests to this endpoint. For example, using grep on log files:'}, {'type': 'list_item', 'content': 'grep "/api/user-whats-app/resend-verification-code" /var/log/nginx/access.log'}, {'type': 'list_item', 'content': 'grep POST /path/to/application/logs | grep resend-verification-code'}, {'type': 'paragraph', 'content': 'Additionally, you can look for repeated resend attempts from the same or different authenticated users targeting different itemIds, which may indicate abuse.'}] [2]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'Immediate mitigation steps include updating OneUptime to version 10.0.21 or later, where this vulnerability has been patched.'}, {'type': 'paragraph', 'content': "The patch enforces ownership verification by ensuring that the UserWhatsApp item's userId matches the authenticated user's ID before allowing a resend of the verification code."}, {'type': 'paragraph', 'content': 'Additionally, implementing per-item and per-user rate limiting on resend attempts can help prevent abuse such as spamming or denial-of-service attacks.'}, {'type': 'paragraph', 'content': 'If immediate upgrade is not possible, consider monitoring and restricting access to the resend-verification-code endpoint and auditing authenticated user actions related to this endpoint.'}] [2, 1]