CVE-2026-32306
SQL Injection in OneUptime Telemetry API Enables RCE
Publication date: 2026-03-13
Last updated on: 2026-03-17
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| hackerbay | oneuptime | to 10.0.23 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-32306 is a critical SQL injection vulnerability in the telemetry aggregation API of the OneUptime monitoring solution. The API accepts user-controlled parameters—aggregationType, aggregateColumnName, and aggregationTimestampColumnName—and directly inserts them into ClickHouse SQL queries using raw string concatenation without any input validation, allowlisting, or parameterized query binding.
Because of this, an authenticated user can inject arbitrary SQL commands into the database queries. This allows attackers to read telemetry data from all tenants, modify data, read server files, and potentially execute remote code on the server via ClickHouse table functions.
The vulnerability arises from the lack of validation on these parameters and the use of the .append() method that simply concatenates strings to form SQL queries. It is fixed in version 10.0.23 by implementing allowlists, input validation, and parameterized queries.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including full database compromise. An attacker with basic authentication can:
- Read telemetry data across all tenants, leading to cross-tenant data theft.
- Modify data in the database, including inserting, altering, or dropping data affecting all tenants.
- Read server files using ClickHouse’s file() table function.
- Execute remote code on the server through ClickHouse’s url() (SSRF) and executable() functions.
- Steal credentials by exploiting default ClickHouse configurations.
Overall, this leads to high confidentiality, integrity, and availability impacts on the affected system.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring and analyzing requests to the telemetry aggregation API, specifically the POST endpoint `/{modelName}/aggregate` that accepts the `aggregateBy` object in the request body.'}, {'type': 'paragraph', 'content': 'Detection involves checking for unusual or malicious SQL injection patterns in the parameters `aggregationType`, `aggregateColumnName`, and `aggregationTimestampColumnName` that are directly interpolated into SQL queries without validation.'}, {'type': 'paragraph', 'content': 'You can use network monitoring tools or web application firewalls (WAF) to log and inspect POST requests to this endpoint for suspicious payloads containing SQL keywords such as UNION SELECT, file(), url(), or executable() functions.'}, {'type': 'paragraph', 'content': 'Example commands to detect potential exploitation attempts might include:'}, {'type': 'list_item', 'content': 'Using curl to test the vulnerable endpoint with suspicious parameters:'}, {'type': 'list_item', 'content': 'curl -X POST https://your-oneuptime-instance/{modelName}/aggregate -H \'Content-Type: application/json\' -d \'{"aggregateBy": {"aggregationType": "UNION SELECT", "aggregateColumnName": "1", "aggregationTimestampColumnName": "1"}}\''}, {'type': 'list_item', 'content': 'Using network packet capture tools like tcpdump or Wireshark to filter HTTP POST requests to the vulnerable endpoint and inspect payloads for SQL injection patterns.'}, {'type': 'list_item', 'content': 'grep or log analysis commands on server logs to find suspicious aggregationType values, e.g.:'}, {'type': 'list_item', 'content': "grep -i 'aggregationType.*union' /var/log/oneuptime/access.log"}] [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading OneUptime to version 10.0.23 or later, where the vulnerability is fixed.
If upgrading immediately is not possible, implement strict input validation and allowlisting on the parameters `aggregationType`, `aggregateColumnName`, and `aggregationTimestampColumnName` to restrict them to known safe values.
Specifically:
- Allowlist `aggregationType` to only safe aggregation functions such as AVG, SUM, COUNT, MIN, MAX, and UNIQ.
- Validate `aggregateColumnName` and `aggregationTimestampColumnName` against the model’s known columns to prevent injection.
- Avoid raw string concatenation in SQL queries; use parameterized queries or safe query builders.
Additionally, restrict access to the vulnerable API endpoint to trusted users only and monitor logs for suspicious activity.