CVE-2026-32598
Received Received - Intake
Information Disclosure in OneUptime Password Reset Logs Enables Account Takeover

Publication date: 2026-03-13

Last updated on: 2026-03-17

Assigner: GitHub, Inc.

Description
OneUptime is a solution for monitoring and managing online services. Prior to 10.0.24, the password reset flow logs the complete password reset URL β€” containing the plaintext reset token β€” at INFO log level, which is enabled by default in production. Anyone with access to application logs (log aggregation, Docker logs, Kubernetes pod logs) can intercept reset tokens and perform account takeover on any user. This vulnerability is fixed in 10.0.24.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-13
Last Modified
2026-03-17
Generated
2026-05-07
AI Q&A
2026-03-13
EPSS Evaluated
2026-05-05
NVD
CVE-2026-32598
EUVD
EUVD-2026-11730
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
hackerbay oneuptime to 10.0.24 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-532 The product writes sensitive information to a log file.
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :

The vulnerability allows attackers who have access to application logs to intercept password reset tokens. This can lead to unauthorized account takeover, compromising user accounts and potentially exposing sensitive user data or allowing malicious actions under the guise of legitimate users.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


Can you explain this vulnerability to me?

This vulnerability exists in OneUptime versions prior to 10.0.24. During the password reset process, the application logs the entire password reset URL, which includes the plaintext reset token, at the INFO log level. Since INFO logging is enabled by default in production environments, anyone who has access to the application logsβ€”such as log aggregation systems, Docker logs, or Kubernetes pod logsβ€”can see these reset tokens. With these tokens, an attacker can perform account takeover on any user.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by inspecting the application logs for the presence of password reset URLs containing plaintext reset tokens. Since the reset URLs are logged at the INFO level by default, reviewing logs from log aggregation systems, Docker logs, or Kubernetes pod logs can reveal these tokens.

Commands to detect this might include searching logs for reset URLs or tokens. For example, using grep on log files or logs streams:

  • grep -i 'reset' /path/to/application/logs/*
  • kubectl logs <pod-name> | grep -i 'reset'
  • docker logs <container-id> | grep -i 'reset'

These commands help identify if reset URLs with tokens are being logged, indicating exposure to the vulnerability.


What immediate steps should I take to mitigate this vulnerability?

The immediate mitigation step is to upgrade OneUptime to version 10.0.24 or later, where this vulnerability is fixed.

Additionally, restrict access to application logs to trusted personnel only, and consider temporarily disabling or reducing the log level of password reset flows to avoid logging sensitive tokens.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart