CVE-2026-32598
Received Received - Intake
Information Disclosure in OneUptime Password Reset Logs Enables Account Takeover

Publication date: 2026-03-13

Last updated on: 2026-03-17

Assigner: GitHub, Inc.

Description
OneUptime is a solution for monitoring and managing online services. Prior to 10.0.24, the password reset flow logs the complete password reset URL β€” containing the plaintext reset token β€” at INFO log level, which is enabled by default in production. Anyone with access to application logs (log aggregation, Docker logs, Kubernetes pod logs) can intercept reset tokens and perform account takeover on any user. This vulnerability is fixed in 10.0.24.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-13
Last Modified
2026-03-17
Generated
2026-06-16
AI Q&A
2026-03-13
EPSS Evaluated
2026-06-15
NVD
CVE-2026-32598
EUVD
EUVD-2026-11730
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
hackerbay oneuptime to 10.0.24 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-532 The product writes sensitive information to a log file.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

The vulnerability allows attackers who have access to application logs to intercept password reset tokens. This can lead to unauthorized account takeover, compromising user accounts and potentially exposing sensitive user data or allowing malicious actions under the guise of legitimate users.

Compliance Impact

I don't know

Executive Summary

This vulnerability exists in OneUptime versions prior to 10.0.24. During the password reset process, the application logs the entire password reset URL, which includes the plaintext reset token, at the INFO log level. Since INFO logging is enabled by default in production environments, anyone who has access to the application logsβ€”such as log aggregation systems, Docker logs, or Kubernetes pod logsβ€”can see these reset tokens. With these tokens, an attacker can perform account takeover on any user.

Detection Guidance

This vulnerability can be detected by inspecting the application logs for the presence of password reset URLs containing plaintext reset tokens. Since the reset URLs are logged at the INFO level by default, reviewing logs from log aggregation systems, Docker logs, or Kubernetes pod logs can reveal these tokens.

Commands to detect this might include searching logs for reset URLs or tokens. For example, using grep on log files or logs streams:

  • grep -i 'reset' /path/to/application/logs/*
  • kubectl logs <pod-name> | grep -i 'reset'
  • docker logs <container-id> | grep -i 'reset'

These commands help identify if reset URLs with tokens are being logged, indicating exposure to the vulnerability.

Mitigation Strategies

The immediate mitigation step is to upgrade OneUptime to version 10.0.24 or later, where this vulnerability is fixed.

Additionally, restrict access to application logs to trusted personnel only, and consider temporarily disabling or reducing the log level of password reset flows to avoid logging sensitive tokens.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32598. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart