CVE-2026-30959
Received Received - Intake
Insecure Direct Object Reference in OneUptime UserWhatsApp API

Publication date: 2026-03-10

Last updated on: 2026-03-12

Assigner: GitHub, Inc.

Description
OneUptime is a solution for monitoring and managing online services. The resend-verification-code endpoint allows any authenticated user to trigger a verification code resend for any UserWhatsApp record by ID. Ownership is not validated (unlike the verify endpoint). This affects the UserWhatsAppAPI.ts endpoint and the UserWhatsAppService.ts service.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-10
Last Modified
2026-03-12
Generated
2026-06-16
AI Q&A
2026-03-10
EPSS Evaluated
2026-06-15
NVD
CVE-2026-30959
EUVD
EUVD-2026-10703
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
hackerbay oneuptime to 10.0.21 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-307 The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame.
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-30959 is an authorization bypass vulnerability in OneUptime's WhatsApp resend-verification-code API endpoint. It allows any authenticated user to trigger a verification code resend for any UserWhatsApp record by specifying its ID without validating ownership. Unlike the verify endpoint, which checks if the UserWhatsApp record belongs to the authenticated user, the resend-verification-code endpoint lacks this authorization check."}, {'type': 'paragraph', 'content': "This means an attacker with a valid account and knowledge of another user's UserWhatsApp item ID can cause verification codes to be sent repeatedly to that user's phone number."}] [2]

Impact Analysis

[{'type': 'paragraph', 'content': "This vulnerability can be exploited to spam or perform denial-of-service attacks on victims' phone numbers by repeatedly triggering verification code resends. This can lead to social engineering pressure on the victim or cause account lockouts due to excessive verification attempts."}] [2]

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability involves the resend-verification-code endpoint allowing any authenticated user to trigger a verification code resend for any UserWhatsApp record by ID without ownership validation.'}, {'type': 'paragraph', 'content': 'To detect exploitation attempts on your system or network, you can monitor POST requests to the /api/user-whats-app/resend-verification-code endpoint, especially those that include itemIds not belonging to the authenticated user.'}, {'type': 'paragraph', 'content': 'Suggested commands include inspecting web server or application logs for suspicious POST requests to this endpoint. For example, using grep on log files:'}, {'type': 'list_item', 'content': 'grep "/api/user-whats-app/resend-verification-code" /var/log/nginx/access.log'}, {'type': 'list_item', 'content': 'grep POST /path/to/application/logs | grep resend-verification-code'}, {'type': 'paragraph', 'content': 'Additionally, you can look for repeated resend attempts from the same or different authenticated users targeting different itemIds, which may indicate abuse.'}] [2]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'Immediate mitigation steps include updating OneUptime to version 10.0.21 or later, where this vulnerability has been patched.'}, {'type': 'paragraph', 'content': "The patch enforces ownership verification by ensuring that the UserWhatsApp item's userId matches the authenticated user's ID before allowing a resend of the verification code."}, {'type': 'paragraph', 'content': 'Additionally, implementing per-item and per-user rate limiting on resend attempts can help prevent abuse such as spamming or denial-of-service attacks.'}, {'type': 'paragraph', 'content': 'If immediate upgrade is not possible, consider monitoring and restricting access to the resend-verification-code endpoint and auditing authenticated user actions related to this endpoint.'}] [2, 1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-30959. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart