Executive Summary

CVE-2026-32306 is a critical SQL injection vulnerability in the telemetry aggregation API of the OneUptime monitoring solution. The API accepts user-controlled parameters—aggregationType, aggregateColumnName, and aggregationTimestampColumnName—and directly inserts them into ClickHouse SQL queries using raw string concatenation without any input validation, allowlisting, or parameterized query binding.

Because of this, an authenticated user can inject arbitrary SQL commands into the database queries. This allows attackers to read telemetry data from all tenants, modify data, read server files, and potentially execute remote code on the server via ClickHouse table functions.

The vulnerability arises from the lack of validation on these parameters and the use of the .append() method that simply concatenates strings to form SQL queries. It is fixed in version 10.0.23 by implementing allowlists, input validation, and parameterized queries.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts including full database compromise. An attacker with basic authentication can:

• Read telemetry data across all tenants, leading to cross-tenant data theft.
• Modify data in the database, including inserting, altering, or dropping data affecting all tenants.
• Read server files using ClickHouse’s file() table function.
• Execute remote code on the server through ClickHouse’s url() (SSRF) and executable() functions.
• Steal credentials by exploiting default ClickHouse configurations.

Overall, this leads to high confidentiality, integrity, and availability impacts on the affected system.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring and analyzing requests to the telemetry aggregation API, specifically the POST endpoint `/{modelName}/aggregate` that accepts the `aggregateBy` object in the request body.'}, {'type': 'paragraph', 'content': 'Detection involves checking for unusual or malicious SQL injection patterns in the parameters `aggregationType`, `aggregateColumnName`, and `aggregationTimestampColumnName` that are directly interpolated into SQL queries without validation.'}, {'type': 'paragraph', 'content': 'You can use network monitoring tools or web application firewalls (WAF) to log and inspect POST requests to this endpoint for suspicious payloads containing SQL keywords such as UNION SELECT, file(), url(), or executable() functions.'}, {'type': 'paragraph', 'content': 'Example commands to detect potential exploitation attempts might include:'}, {'type': 'list_item', 'content': 'Using curl to test the vulnerable endpoint with suspicious parameters:'}, {'type': 'list_item', 'content': 'curl -X POST https://your-oneuptime-instance/{modelName}/aggregate -H \'Content-Type: application/json\' -d \'{"aggregateBy": {"aggregationType": "UNION SELECT", "aggregateColumnName": "1", "aggregationTimestampColumnName": "1"}}\''}, {'type': 'list_item', 'content': 'Using network packet capture tools like tcpdump or Wireshark to filter HTTP POST requests to the vulnerable endpoint and inspect payloads for SQL injection patterns.'}, {'type': 'list_item', 'content': 'grep or log analysis commands on server logs to find suspicious aggregationType values, e.g.:'}, {'type': 'list_item', 'content': "grep -i 'aggregationType.*union' /var/log/oneuptime/access.log"}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include upgrading OneUptime to version 10.0.23 or later, where the vulnerability is fixed.

If upgrading immediately is not possible, implement strict input validation and allowlisting on the parameters `aggregationType`, `aggregateColumnName`, and `aggregationTimestampColumnName` to restrict them to known safe values.

Specifically:

• Allowlist `aggregationType` to only safe aggregation functions such as AVG, SUM, COUNT, MIN, MAX, and UNIQ.
• Validate `aggregateColumnName` and `aggregationTimestampColumnName` against the model’s known columns to prevent injection.
• Avoid raw string concatenation in SQL queries; use parameterized queries or safe query builders.

Additionally, restrict access to the vulnerable API endpoint to trusted users only and monitor logs for suspicious activity.

Useful 0 Not Useful 0